Gravity Bridge, a Cosmos-native cross-chain protocol, suffered a compromised-key attack over the weekend, resulting in the theft of roughly $5.4 million. Blockchain sleuth Specter flagged the incident on May 31 as a signing key compromise. The team has instructed validators and orchestrators to halt operations while the investigation continues.
How the signing key was exploited
Gravity Bridge works by locking tokens on Ethereum and minting replicas on Cosmos. Validator signatures authorize those transfers. A signing key compromise means an attacker could forge transactions that look legitimate to the network — no smart contract bugs required. This kind of access-control failure is a recurring theme in crypto bridge hacks, where the code itself is sound but the keys aren't.
What was taken
Stolen assets include $4.3 million in USDC, 274 wrapped Ether (about $553,000), $434,000 in USDT, and 14.16 PAXG tokens worth roughly $64,000. The attacker moved some funds through ChangeNOW and Binance, according to security firm PeckShield. As of May 31, the hacker still holds over 2,100 Ether — about $4.23 million.
Part of a brutal year for DeFi
This isn't an isolated event. 2026 has already seen the $292 million Kelp DAO hack and Drift Protocol's $285 million loss. A TRM Labs report identified April 2026 as the most hacked month in crypto history. Bridge attacks have become a familiar pattern: thieves target the human layer — keys, multisig signers, governance — not the underlying smart contracts.
Gravity Bridge hasn't said when validators can resume operations. The investigation is ongoing, and the team hasn't provided a timeline for a fix or recovery plan.
