Gravity Bridge cross-chain bridge $5.4 million was drained, contract nearly wiped out

According to on-chain analyst Specter, the bridging contract key of Cosmos ecosystem cross-chain protocol Gravity Bridge appears to have been leaked, and about $5.4 million in assets was stolen, including 4.3 million USDC, 274 WETH, 434,000 USDT, and about $64,000 PAYG. The contract balance is now only about $85,000—nearly zero.
(Background: StakeDAO deployer private key leaked; the attacker minted 5.4 trillion vsdCRV on Arbitrum out of thin air)
(Additional context: Did DeFi become a hacker’s playground? 13 attacks in a month, $630 million stolen)

Key Summary

• Gravity Bridge’s bridge contract key leaked; about $5.4 million in assets was stolen, leaving only about $85,000 in the contract balance
• Stolen assets include 4.3 million USDC, 274 WETH, 434,000 USDT, and $64,000 PAYG
• The second DeFi private key leak incident in three days; total losses from bridge attacks in 2026 exceed $328 million

Today (5/30), on-chain analyst Specter issued an alert, pointing out that the bridging contract key of Cosmos ecosystem cross-chain bridge Gravity Bridge—an established cross-chain bridge in the Cosmos ecosystem—seems to have been leaked, and the attacker has moved about $5.4 million in assets out of the contract. According to on-chain records on Etherscan, the Gravity Bridge Ethereum-side contract now has a remaining balance of only about $85,000, nearly drained.

Four types of assets drained at once

The stolen assets consist of 4.3 million units of USDC (about 79.6%), 274 units of WETH (about $550,000), 434,000 units of USDT, and PAYG valued at about $64,000.

The involved addresses are 0x7B58…da1F9 and 0x4d3c…C7A47. On-chain records show that the first address received a deposit from Gate.io about 7 hours ago, and then transferred the funds to the second address. Currently, the second address holds about 2,065 ETH (about $4.16 million), indicating that the attacker has exchanged part of the stolen assets for ETH.

Gravity Bridge is an early cross-chain bridge project in the Cosmos ecosystem, mainly responsible for bridging assets between Cosmos and Ethereum. Its Ethereum-side contract security model theoretically requires signatures from more than two-thirds of validators to transfer funds; therefore, a leaked key could mean the attacker may bypass this multi-signature safeguard.

Two incidents in three days—private keys made DeFi’s number-one killer

This is already the second private key leak incident within three days. On May 27, the StakeDAO deployer’s private key was also leaked. The attackers used reconfigured LayerZero v2 cross-chain peer nodes to mint more than 5.4 trillion units of vsdCRV on Arbitrum out of thin air, and exchanged it for ETH.

Private key leaks have become the top attack method for cross-chain bridge hackers in 2026. This year, at least 8 major bridge protocol attacks have occurred, with cumulative losses exceeding $328 million. The largest cases are Kelp DAO ($293 million) and Drift ($285 million); both involved theft of keys or administrative permissions.

Last week, OpenZeppelin co-founder Manuel Araoz publicly called on everyone to exit their DeFi positions, including Aave and MakerDAO, saying, “All DeFi is unsafe.” The Gravity Bridge incident once again confirms his warning: attackers don’t need to find vulnerabilities in smart contracts—just a key.

As of the time of writing, Gravity Bridge’s official team has not issued any statement regarding this incident.

Frequently Asked Questions

What is Gravity Bridge? How much money was stolen?

Gravity Bridge is a cross-chain bridge protocol in the Cosmos ecosystem, responsible for bridging assets between Cosmos and Ethereum. With the suspected leak of the bridge contract key, about $5.4 million in assets was stolen, including 4.3 million USDC, 274 WETH, 434,000 USDT, and $64,000 PAYG.

How serious are the 2026 cross-chain bridge hacker attacks?

This year, there have been at least 8 major bridge protocol attacks, with cumulative losses exceeding $328 million. Private key leaks are the primary attack method; Kelp DAO ($293 million) and Drift ($285 million) are the largest cases.