Gravity Bridge, a Cosmos-based token bridge, has been drained of roughly $5.4 million in a suspected signing key compromise. Validators quickly stepped in to halt the bridge while an investigation gets underway.
How the exploit unfolded
The attack appears to have targeted the bridge’s signing key — a critical piece of infrastructure that authorizes cross-chain transfers. Without that key, an attacker could effectively impersonate the bridge and move funds it was never supposed to touch. The exact method remains unclear, but investigators are working to trace the stolen assets and figure out how the key was compromised.
Validators step in
Once the breach was detected, validators on the Gravity Bridge network acted fast to pause operations. That freeze prevents further losses while the team reviews the code, checks for other vulnerabilities, and decides on next steps. For now, users can't move tokens across the bridge — a frustrating but necessary measure to contain the damage.
What’s at stake for Cosmos
Gravity Bridge is a key piece of the Cosmos ecosystem, designed to let assets move between Cosmos-based chains and Ethereum. A breach like this shakes confidence in the broader interoperability infrastructure that Cosmos has been building. Other bridges in the space have been hit before — Poly Network, Wormhole — and each incident underscores how hard it is to keep cross-chain channels secure. The $5.4 million figure is painful but not catastrophic; the bigger question is whether the team can recover the funds and restore trust.
What happens next
The investigation is ongoing. Validators are expected to decide on a timeline for restarting the bridge once they're confident the vulnerability is patched. No word yet on whether the stolen funds can be recovered or if any user compensation is planned. The next concrete step will be a security update from the Gravity Bridge team detailing the root cause and the fix.
