Cosmos-based Gravity Bridge drained of $5.4 million in suspected key compromise, researchers say

Gravity Bridge, a cross-chain protocol that moves assets between Ethereum and the Cosmos ecosystem, was drained of roughly $5.4 million early Saturday in what security researchers believe was a compromised signing key rather than a smart contract bug.

The unusual outflows were first flagged by onchain analyst Specter and later corroborated by security firm PeckShield. Specter said it appears the bridge's signing keys may have been compromised, allowing the attacker to push out a series of unauthorized withdrawals.

The stolen funds break down to about $4.3 million in USDC, 274 wrapped ether worth roughly $553,000, $434,000 in tether and 14.16 PAXG tokens worth about $64,000, according to PeckShield's tally. The assets were routed to an address ending in 7C62da1F9, with the drained contract identified by Specter as one ending in 1F2D906.

"There was an unfortunate incident on Gravity," the team wrote on X Saturday. "Validators should halt their validators and orchestrators while this incident is being investigated." In a follow-up post, the team said the bridge is currently halted while it investigates the attack.

The attacker began moving funds almost immediately. PeckShield said a portion of the haul has already been laundered through the instant-swap service ChangeNow and through Binance, while the theft wallet was still holding around 2,100 ETH, or about $4.23 million, at the time of its report. An Arkham snapshot shared by Specter showed a related wallet holding roughly $4.16 million in ether.