Gravity Bridge Signing-Key Compromise

On May 30, 2026, Gravity Bridge, the Cosmos-based cross-chain bridge connecting Cosmos to Ethereum, was drained of approximately $5.4 million after attackers appear to have compromised the validator signing keys that authorize transfers. With enough valid signatures in hand, the attacker pushed through a series of forged withdrawals that the bridge treated as legitimate.

What happened

Gravity Bridge works by locking tokens on Ethereum and minting mirrored representations on Cosmos, with validator signatures authorizing each cross-chain transfer. According to blockchain security researchers including PeckShield, the bridge's signing keys were apparently compromised, letting the attacker authorize unauthorized withdrawals directly. The stolen funds were reported as roughly $4.3 million in USDC, 274 wrapped ether (~$553,000), about $434,000 in USDT, and 14.16 PAXG (~$64,000). The attacker began laundering a portion through ChangeNow and Binance while continuing to hold a large balance in ETH.

Aftermath

Gravity Bridge acknowledged the incident and halted the bridge while it investigated. As of reporting the funds remained unrecovered, with researchers tracking the attacker's wallets on-chain.

Why it matters

The Gravity Bridge drain is another entry in 2026's dominant theme: bridges and validator-set custody are the highest-value attack surface in crypto. Like IoTeX's ioTube and the Verus-Ethereum bridge, the failure was not a clever contract bug but key custody — once an attacker controls enough signing keys, a bridge's signature-checking logic faithfully validates fraudulent withdrawals. It echoes the lesson of validator-key and admin-key compromises across the catalogue (Wasabi Protocol, Hyperbridge): cross-chain infrastructure is only as secure as the keys behind its multisig, and signature thresholds add little protection once the signers themselves are breached.