Gravity Bridge was drained of $5.4 million in a suspected signing key compromise on May 31, prompting validators to halt the cross-chain protocol connecting Ethereum to Cosmos. The attacker stole $4.3 million in USDC, 274 WETH, $434,000 in USDT and 14.164 PAXG, with funds partially laundered through ChangeNow and Binance. The incident marks the eighth major bridge exploit of 2026, with cumulative losses reaching $328.6 million.
Gravity Bridge lost $5.4 million after a suspected signing key compromise, prompting validators to halt the cross-chain protocol on May 31.
On-chain analyst Specter first flagged the unusual outflows, reporting that the bridge contract key may have been compromised. "It appears the Gravity Bridge contract key may have been compromised, resulting in the theft of $5.4M," Specter wrote on X.
The stolen assets included $4.3 million in USDC, 274 wrapped ether worth roughly $553,000, $434,000 in USDT and 14.164 PAXG tokens valued at about $64,000, according to security firm PeckShield. The attacker swapped most stablecoins into ether and now controls about 2,102 ETH worth $4.23 million, PeckShield said. Part of the haul was laundered through instant-swap service ChangeNow and through Binance, with the attacker moving quickly to break the link between stolen assets and the original exploit wallet.
The exploit adds to a string of 2026 bridge hacks that have drained a cumulative $328.6 million across eight major incidents, reinforcing concerns about cross-chain security. Gravity Bridge, which connects Ethereum to the Cosmos ecosystem through IBC, held roughly $11.5 million in total value locked before the drain.
Gravity Bridge acknowledged the incident on X, asking validators to halt their validators and orchestrators while the incident is investigated. In a follow-up post, the team confirmed the bridge had been halted.
Unlike bridges that rely on centralized multi-signatures, Gravity Bridge uses its full validator set to authorize transfers, making it one of the more decentralized bridge designs in the space, according to its website. The suspected key compromise shifts the focus away from smart contract code and toward validator authorization controls — a pattern that has appeared in other 2026 bridge incidents including the KelpDAO breach that drained roughly $290 million in April, attributed to North Korea's Lazarus Group.
JPMorgan analysts flagged bridge security as a major challenge in an April research note, questioning whether DeFi can scale to meet institutional demand. Following the KelpDAO breach, total value locked across DeFi fell from nearly $100 billion to around $86 billion in two days, with outflows hitting pools that had no direct exposure to the compromised assets.
The GRAV token fell 4% to $0.0007053 over the past day, according to CoinMarketCap data. The bridge remains halted while the investigation continues.
This article is for informational purposes only and does not constitute investment advice.
