# Gravity Bridge Loses $5.4 Million in Suspected Signing Key Compromise — Hackers Drain Multi-Asset Pool
Attackers drained about $5.4 million from Gravity Bridge’s Ethereum-side contract early on May 30, with on-chain investigators pointing to a compromised signing key instead of a smart contract flaw. The exploit marks the latest in a string of cross-chain bridge attacks that continue to plague the industry.
The drain removed $4.3 million in USDC, 274 ether worth about $553,000, $434,000 in USDT, and PAYG tokens valued at $64,000. PeckShield was among the first to flag the incident, noting the attacker had already started laundering funds through ChangeNow and Binance.
## Inside the Gravity Bridge Exploit
Gravity Bridge is a cross-chain protocol that connects Cosmos-based chains to Ethereum. The exploit hit the bridge’s verified Ethereum contract, with privileged access enabling unauthorized withdrawals that appeared to originate from authorized sources.
On-chain analyst Specter flagged the incident first, identifying two attacker addresses tied to the theft. Cyvers Alerts and other on-chain monitors confirmed the figures shortly after. The attacker still controls about 2,102 ETH worth about $4.23 million — meaning the bulk of stolen value remains in ether instead of being fully laundered.
## A Signing Key, Not a Smart Contract Bug
The distinction matters. Smart contract exploits can often be patched with code updates. A compromised signing key suggests the attacker gained access to privileged credentials — through phishing, social engineering, or an infrastructure breach — instead of finding a bug in the bridge’s code.
This pattern is becoming familiar. Bridge security depends on the integrity of both the smart contract code and the operational security around signing keys. When either fails, the bridge becomes a liability. The Gravity Bridge incident follows a wave of cross-chain bridge exploits that have collectively drained billions from DeFi protocols since 2022.
## How the Funds Are Moving
Blockchain analysis shows the attacker split the stolen assets across multiple transactions, moving portions through ChangeNow (a no-KYC swap service) and Binance. The use of centralized exchanges for laundering creates a potential recovery path: if Binance freezes the deposited funds, a portion could still be clawed back.
However, the attacker still holds the majority of stolen value in ether on addresses that haven’t been funneled through mixers yet. Security firms are actively monitoring these wallets, and the window for recovery narrows with each passing hour.
## Broader Implications for Bridge Security
Gravity Bridge joins a growing list of cross-chain protocols that have suffered significant losses. The attack comes just days after the Alephium bridge was hacked for $815,000 in seven minutes, and the Echo Protocol hacker minted $7 million in fake bitcoin. Bridge security remains one of the weakest points in the DeFi ecosystem.
For projects building on Gravity Bridge, the incident raises immediate questions about whether the bridge can be safely redeployed and what additional protections need to be added. For users holding assets on the bridge, the question is whether funds will be restored — a process that historically has been hit-or-miss depending on the project’s treasury and insurance coverage.
## Frequently Asked Questions
**How was Gravity Bridge hacked?**
Investigators believe the attacker compromised a signing key instead of exploiting a smart contract bug. This gave them privileged access to authorize withdrawals that appeared legitimate to the bridge’s verification system.
**Can the stolen funds be recovered?**
The attacker still holds about 4.23 million in ether. If exchanges like Binance freeze deposited funds and security firms track the remaining wallets, partial recovery is possible. Full recovery is unlikely.
**What is Gravity Bridge?**
Gravity Bridge is a cross-chain protocol that connects Cosmos-based blockchains to Ethereum, allowing users to transfer assets between the two ecosystems. It uses a validator set and smart contracts to verify and execute cross-chain transactions.
