Gravity Bridge, a cross-chain protocol connecting Ethereum and the Cosmos network, halted operations on May 31, 2026 after a confirmed exploit. Attackers drained $5.4 million in mixed tokens by compromising the bridge contract's private signing key. Within hours, part of the stolen funds moved through the ChangeNow instant-swap service and appeared on Binance.
Onchain analyst Specter was the first to flag the unusual outflows in a public post on X. Security firm PeckShield confirmed the incident shortly after and published a breakdown of the stolen assets by token type.
How the Attack Worked: Contract Key Compromise
Gravity Bridge facilitates token transfers between Ethereum and Cosmos in both directions: from Ethereum to Cosmos-based DEXs like Osmosis, and from Cosmos networks back to Ethereum platforms such as Uniswap. Unlike bridges secured by a small multisig group, Gravity Bridge uses its full validator set to authorize transfers. That design is marketed as a stronger security model. The attacker bypassed it entirely by targeting something else.
By gaining access to the bridge contract's own private key, the attacker could sign transactions on behalf of the contract without any validator approval. The team called on validators to halt their nodes and orchestrators pending investigation. No recovery timeline or compensation plan was announced by end of day May 31.
"It appears the Gravity Bridge contract key may have been compromised, resulting in the theft of $5.4M."
- Specter, onchain analyst, post on X, May 31, 2026
Stolen Asset Breakdown: PeckShield Data
Of the $5.4 million total, USDC made up the largest share: $4.3 million in stablecoins. Another 274 Wrapped Ether tokens were worth $553,000 at the time of theft. The haul also included $434,000 in USDT and 14.164 PAX Gold tokens valued at $64,000.
At the time of writing, the attacker's wallet still held approximately 2,102 ETH worth $4.23 million, meaning most of the stolen funds had not yet moved. Gravity Bridge's native token Graviton (GRAV) fell 4% in the 24 hours after the attack to $0.0007053, per CoinMarketCap data.
Where the Money Went: ChangeNow and Binance
The laundering route follows a pattern seen in many DeFi exploits. Part of the stolen tokens was routed through ChangeNow, a no-KYC instant-swap service. From there, funds moved to Binance. Routing through non-KYC platforms makes wallet attribution harder and buys the attacker time to fragment holdings across multiple addresses.
PeckShield and other onchain firms are actively tracking the attacker's wallets. While the bulk of ETH remains on the original address, the funds that already moved are practically unrecoverable without voluntary cooperation from the receiving platforms.
Eighth Major Bridge Hack of 2026: The Running Tally
According to CoinTelegraph, the Gravity Bridge attack is the eighth significant bridge exploit of 2026. Combined losses across all eight incidents now exceed $328.6 million. The largest single event was the KelpDAO breach, attributed to North Korea's Lazarus Group, which drained roughly $290 million. In the days after that hack, total DeFi TVL dropped from around $100 billion to $86 billion in just 48 hours, with outflows hitting pools that had no direct connection to the affected protocol.
JPMorgan analysts flagged bridge security as a central obstacle to institutional DeFi adoption in an April 2026 research note. That report aged quickly: the next major exploit arrived less than two months later. At eight breaches in five months, 2026 is on pace to surpass prior years for bridge losses.
Decentralized Architecture vs. a Single Compromised Key
Gravity Bridge markets itself as more secure than multisig bridges because authorization is distributed across its full validator set, backed by GRAV staking. That architecture holds up in scenarios where validators are the attack surface. It does not help when the bridge contract's own administrative key is compromised.
This raises a question the DeFi security community has debated for years: how should protocols store and rotate administrative keys when even a distributed authorization layer depends on some central management point? After three major exploits in April-May 2026 alone, the question is moving from security forums into regulatory discussions. Decentralized architecture on the outside and a vulnerable admin key on the inside are not contradictions. They are the actual configuration of many live protocols.
What Comes Next for Cosmos and the Bridge Market
Gravity Bridge has not announced a restart timeline or a compensation plan for affected users. With eight major attacks in five months, cross-chain bridges enter the second half of 2026 under growing scrutiny from security auditors and policymakers. Each new incident strengthens the case for mandatory independent audits before bridge protocols go live or resume operations.
For the Cosmos ecosystem, this hack is another blow to cross-chain infrastructure after a string of DeFi incidents. Restoring confidence will depend on whether the team can publicly confirm the root cause, patch the vulnerability, and commission an independent review before restarting. Without that, liquidity is unlikely to return quickly.
Comments
Your email address will not be published. Required fields are marked *