← All Reports

Gravity Bridge Investigation: Cross-Chain Bridge Exploit Analysis

📅 2025-06-03
bridge cosmos gravity-bridge exploit

Gravity Bridge Key Compromise Incident Investigation Report

Date: May 30, 2026 (Publicly Disclosed June 1)

Loss Amount: ~$5.4M

Attack Type: Validator Signing Key Leak (Not Smart Contract Vulnerability)

Status: Team Suspended Operations

Executive Summary

Gravity Bridge is a cross-chain protocol connecting Ethereum and Cosmos ecosystems. On May 30, 2026, attackers extracted approximately $5.4 million in digital assets using leaked validator signing keys.

This is the fourth major cross-chain security incident in the first week of June 2026, once again highlighting the fatal risks of centralized signing key management.

Asset Loss Breakdown

| Asset Type | Quantity | Value |

|------------|----------|-------|

| USDC | ~$4,300,000 | $4.3M |

| WETH | 274 tokens | ~$553,000 |

| USDT | ~$434,000 | $434K |

| PAXG | 14.16 tokens | ~$64,000 |

| Total | | ~$5,400,000 |

Attack Characteristics Analysis

Key Findings

  • Not Smart Contract Vulnerability: On-chain analysts confirmed this was a validator signing key leak, not a contract code issue
  • Bridge Operations Suspended: Team has instructed all validators to stop running validators and coordinators
  • Staggering TVL Ratio: Pre-incident TVL was approximately $11.5M, with nearly half lost in this incident

    • Fund Flow Tracking

    | Stage | Details |

    |-------|---------|

    | Attacker Retention | ~2,102 ETH (~$4.23M) |

    | Money Laundering Channels | ChangeNow, Binance |

    | Timeline | May 30 attack → June 1 public disclosure |

    Cross-Chain Bridge Attack Trends: 2026 Data

    According to PeckShield statistics, 2026 has seen 14 major cross-chain bridge attacks with cumulative losses of $340.7M:

    | Rank | Project | Amount | Date |

    |------|---------|--------|------|

    | 1 | KelpDAO | $293M | April |

    | 2 | Drift Protocol | $285M | April |

    | 3 | DxSale | $7.3M | June |

    | 4 | Gravity Bridge | $5.4M | May |

    | 5 | Alephium Bridge | $815K | May |

    Gravity Bridge vs Other Bridge Attacks Comparison

    | Dimension | Gravity Bridge | Typical Smart Contract Attack |

    |-----------|----------------|-------------------------------|

    | Vulnerability Type | Key Leak | Code Vulnerability |

    | Defense Method | Traditional Security (HSM, MPC) | Formal Verification, Code Audit |

    | Responsible Party | Centralized Operator | Smart Contract Code |

    | Impact Scope | Controllable (suspend operations) | Difficult to modify after deployment |

    Security Warnings

    Key Management is the Fatal Weakness of Cross-Chain

    Gravity Bridge incident proves:

  • MPC/HSM is Not a Silver Bullet: Even with multi-signature schemes, key management processes can still be compromised
  • Insufficient Validator Decentralization: "Validator signing keys" suggest relatively centralized signing mechanisms may exist
  • TVL and Security Mismatch: $11.5M TVL supporting $5.4M in key assets creates disproportionate risk exposure

    • User Self-Protection Recommendations

    • Be cautious when using bridges where bridge TVL > protocol TVL
    • Do not store long-term held assets in bridge contracts
    • Monitor protocol validator count and governance structure

    Data Sources

    • Sina Finance: https://finance.sina.com.cn/stock/usstock/summary/2026-06-01/doc-inhzwpyp8549134.shtml
    • Crypto Gazette: https://cryptogazette.com/crypto-bridge-hacks-340-million-2026/

    Event Progress

    • ✅ Team confirmed key leak (ruled out contract vulnerability)
    • ✅ All bridge operations suspended
    • ⚠️ Validators have stopped working
    • ⚠️ Asset tracking in progress, ChangeNow and Binance may assist with freezing
    • ❌ Full incident report not yet published