Gravity Bridge has been paused after roughly $5.4 million in assets were withdrawn in an incident security researchers say looks like a signing-key compromise rather than a smart-contract exploit.
On-chain analyst Specter first flagged a pattern of unusual withdrawals, and security firm PeckShield later published a breakdown of the funds taken. PeckShield reported about $4.3 million in USDC, 274 wrapped ether (around $553,000), $434,000 in USDT, and roughly 14.16 PAXG valued at about $64,000. According to the firms, those tokens were moved to a wallet ending in 7C62da1F9; Specter identified the affected Gravity Bridge contract as an address ending in 1F2D906.
Following the alerts, the Gravity Bridge team posted that validators should stop their validator nodes and orchestrators while the incident is investigated. The bridge itself has been halted pending a full review.
Gravity Bridge links Ethereum and the Cosmos ecosystem by locking assets on Ethereum and minting equivalent tokens on Cosmos chains. Transfers across the bridge are authorized by validator signatures, so researchers say an attacker who can control enough valid signing keys could make withdrawals that appear legitimate to the system. Both Specter and PeckShield emphasized that the observed transaction pattern was consistent with compromised authorization keys rather than a direct bug in contract logic. The Gravity team has not yet published a postmortem, so the precise entry point and whether private keys, validator infrastructure, or another operational weakness were involved remain unconfirmed.
PeckShield also reported that some of the stolen assets moved through swap services after the drain, citing ChangeNow and Binance. When PeckShield published its update it said the attacker-controlled wallet still held about 2,100 ETH (valued near $4.23 million). Specter shared a wallet snapshot via Arkham showing a related address holding roughly $4.16 million in ether. These movements show investigators and on-chain trackers are following the funds across multiple services and wallets.
Gravity Bridge was developed with contributions from teams including Althea and is secured by the GRAV token and a validator set. If the initial assessments are confirmed, this incident would join a series of 2026 bridge incidents where failures in key management or authorization, not audited contract code, were central to losses. Security researchers have drawn parallels to earlier cases this year, such as incidents involving Kelp DAO and Resolv, where operational and key-management issues played crucial roles.
Industry monitoring firm TRM Labs has noted that bridge attacks remain a major source of crypto losses in 2026. While the Gravity Bridge loss is significant for users and the protocol, it is smaller than some past bridge breaches, such as the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
The Gravity team continues to investigate and has encouraged validators to remain offline until they provide further guidance. Users and observers are awaiting a full technical postmortem to clarify how the breach occurred and what steps will be taken to secure the bridge and recover or contain stolen funds.