Gravity Bridge loses $5.4M in suspected key compromise

Cosmos-based Gravity Bridge lost roughly $5.4 million early Saturday after on-chain analysts flagged unusual outflows tied to a single attacker-controlled address. The project halted the bridge and urged validators to stop operations while the team investigates.

Security analysts traced the funds to an address ending in 7C62da1F9 and linked withdrawals to a contract ending in 1F2D906. PeckShield's tally put the haul at about $4.3 million in USDC, 274 wrapped ether (around $553,000), $434,000 in tether and 14.16 PAXG tokens valued near $64,000.

A snapshot shared by on-chain analysts showed a related wallet holding roughly $4.16 million in ether, and at the time of the security report the theft wallet still held about 2,100 ETH, roughly $4.23 million. Transaction traces show portions of the funds moved through the instant-swap service ChangeNow and through Binance.

Gravity Bridge works by locking tokens on Ethereum and minting mirrored tokens on Cosmos, with validators signing each transfer. Researchers identified the pattern of withdrawals as consistent with a compromise of validator signing keys rather than a flaw in the bridge's smart-contract code; if attackers obtain enough signing keys, the network can accept forged withdrawal requests as legitimate.

The project posted on X: “There was an unfortunate incident on Gravity,” and instructed stakeholders: “Validators should halt their validators and orchestrators while this incident is being investigated.” The team later confirmed the bridge remains halted as it probes the breach.

Gravity Bridge was built with contributions from teams including Althea and uses its native Graviton (GRAV) token in some security mechanisms. The project has not released a full technical postmortem and has not confirmed the exact method used to obtain signing credentials.

No arrests or fund recoveries have been reported. Investigators continue to trace the transfers and monitor exchanges for movement of the stolen assets.