Skip to content
Blockchain Posts

exploit

Gravity Bridge halted after $5.4M drain on suspected key compromise

Cosmos-Ethereum Gravity Bridge lost ~$5.4M on May 30. Peckshield and on-chain analyst Specter call it a signing key compromise. Team halted validators; attacker holds ~2,102 ETH.

by 4 min read
exploitinfrastructureethereumcosmosgravity-bridge

Gravity Bridge, the validator-signed bridge that moves ERC-20 assets between Ethereum and Cosmos SDK chains, was drained of about $5.4M early Saturday May 30, according to security firms Peckshield and Cyvers and the on-chain analyst Specter. The Gravity team subsequently halted the bridge and asked validators and orchestrators to stop while it investigates. As of the latest tracking reports, the attacker still holds roughly 2,102 ETH (~$4.23M) and has already routed part of the haul through ChangeNow and Binance.

What happened

Peckshield flagged a series of unauthorized withdrawals from the bridge contracts on Saturday morning UTC and put the loss at approximately $5.4M:

  • $4.3M in USDC
  • 274 ETH (~$553,000)
  • $434,000 in USDT
  • 14.164 PAYG tokens (~$64,000)

The Block, citing Peckshield and Cyvers, attributes the drain to a suspected compromise of the bridge's signing keys rather than a smart-contract bug. Read its writeup: Cosmos-based Gravity Bridge drained of $5.4 million in suspected key compromise, researchers say.

Peckshield labeled two attacker addresses by truncated form — one ending in …a1F9 and one ending in …7A47 — and tracked a destination wallet ending in …7C62da1F9 that received the consolidated funds. The full addresses are not in the public alert; treat the truncated forms as cited by Peckshield, not verified independently here.

Mechanism — validator-signed bridge, single point of failure

Gravity Bridge's design is documented in the Gravity-Bridge/Gravity-Bridge GitHub repo. Assets locked in the Ethereum-side bridge contract are released only when a quorum of Gravity Bridge validators sign the corresponding withdrawal message. The contract is intentionally simple: no upgradeability tricks, no admin keys — security reduces to the integrity of the validator-signer set.

That is what makes the signing-key path the soft target. If an attacker obtains enough validator signing material (or a single signing path with sufficient authority over the contract's quorum logic), they can craft withdrawal messages the contract will honor as authorized. Specter, the on-chain analyst who first flagged the unusual withdrawals, attributed the pattern to a compromised signing path — not a contract exploit.

The bridge has not published a formal post-mortem at the time of writing. The exact entry point — leaked validator keys, infrastructure breach at a signer, orchestrator misconfiguration — is unconfirmed.

Impact

  • The bridge is paused. The Gravity team has asked validators and orchestrators to stop. Cross-chain transfers between Ethereum and connected Cosmos chains via Gravity are unavailable until the team and validator set lift the halt.
  • Funds are partially laundered. Peckshield says the $1M+ already moved through ChangeNow and Binance, with the attacker still sitting on roughly 2,102 ETH on-chain.
  • No user-side compromise. Holders of Gravity-bridged assets do not need to rotate wallets; the loss is from the bridge's locked-asset side, not from approvals or signed transactions.
  • Downstream exposure. Cosmos chains that source ERC-20 liquidity via Gravity (notably for USDC and USDT) may see thinning liquidity in those wrapped balances until an alternative bridging path stabilizes.

What to watch

  1. Post-mortem from the Gravity team. The specific entry point matters: a leaked individual validator key implies a single-signer compromise; an orchestrator infrastructure breach implies a broader rewrite of operational practice.
  2. Recovery vs. laundering pace. Binance's compliance team has reacted quickly to past bridge thefts (Ronin, Harmony Horizon) when funds touched the exchange. Watch for freezes on the ~2,102 ETH currently sitting in the attacker's main wallet.
  3. Validator-set response. A reconfiguration of the signer set, with rotated keys and revoked permissions, is the minimum precondition for unhalting. Anything less than that is not a safe restart.
  4. Cosmos counterparties. Osmosis, Canto, Crescent and other chains that rely on Gravity-routed ERC-20s will need to communicate any user-facing balance impacts. So far, none have reported wrapped-asset depegs.

Context — bridge keys, the recurring failure mode

Bridge incidents in 2026 have skewed toward exactly this primitive: not contract bugs, but the keys that authorize the contracts. Peckshield's running tally puts bridge-related losses at roughly $328.6M across eight incidents in May 2026 alone. The Alephium bridge exploit on May 30 ($815K) and Gravity on the same day make it a two-bridge day.

This is the same failure pattern Blockchain Posts has covered in the Bybit cold-wallet exploit and the StablR multisig minting compromise: contracts behaved as written; the keys did not. For validator-signed bridges, the only durable mitigation is hardware-root-of-trust signing across geographically and operationally distinct validators — and an off-switch the validator set can actually pull when one of them goes wrong. Gravity used its off-switch in time to limit the loss. The next bridge in this class might not.

Related stories