Gravity Bridge halted operations after a suspected authorization-layer compromise drained roughly $5.4 million from the cross-chain bridge on May 30, 2026. On-chain analyst Specter first flagged the incident at approximately 06:43 UTC, saying the bridge contract key may have been compromised, while Gravity Bridge later told validators to halt validators and orchestrators during the investigation.
The incident should be framed as a suspected signing-key or authorization compromise, not a confirmed smart-contract logic bug. Gravity Bridge has not yet published a full postmortem identifying the exact entry point, affected validator infrastructure or final root cause.
It appears the @gravity_bridge bridge contract key may have been compromised, resulting in the theft of $5.4M.
The attacker drained the following assets:
USDC: $4.3M
WETH: 274 ETH (~$553K)
USDT: $434K$PAYG: $64KTheft addresses:
0x7B582033061b96cC3F9421e73a749ED7C62da1F9… pic.twitter.com/nX81rsZYGp
— Specter (@SpecterAnalyst) May 30, 2026
Stolen Assets and Addresses Require Careful Attribution
PeckShield reported that the attacker drained about $4.3 million in USDC, 274 ETH worth roughly $553,000, $434,000 in USDT and 14.164 PAXG worth about $64,000. The firm also said part of the proceeds moved through ChangeNow and Binance, while the attacker still held about 2,102 ETH, valued near $4.23 million at the time of its alert.
The attacker address should be corrected. The Gravity Bridge theft address cited in reports is 0x7B582033061b96cC3F9421e73a749ED7C62da1F9, with a second linked address reported as 0x4d3ca32e687e871a58b78AcAc73bE59AC37C7A47.
Bridge Architecture Put Key Management at the Center
Gravity Bridge links Ethereum and the Cosmos ecosystem by locking assets on Ethereum and allowing corresponding assets to move through Cosmos-side infrastructure. That design depends on validator or orchestrator signatures to authorize cross-chain fund movement, so compromised signing authority can make unauthorized withdrawals appear valid to the bridge contract.
ForgeAudit’s Andrea Leutenegger described the incident as a trust-layer failure, saying 37 validators unknowingly signed a malicious update after the signing pipeline was poisoned, and that the contract lacked a timelock, guardian multisig or circuit breaker. That assessment is useful technical analysis, but it should remain attributed to ForgeAudit unless Gravity Bridge confirms those details in a postmortem.
“The contract had no timelock. No guardian multisig. No circuit breaker.” https://t.co/nA5CFYqaNy
— Leuts.eth (@A_Leutenegger) May 31, 2026
Gravity Bridge confirmed the operational response on X. At approximately 13:29 UTC on May 30, the team told validators to halt validators and orchestrators, and at approximately 14:58 UTC it said the bridge had been halted while the investigation continued.
There was an unfortunate incident on Gravity. Validators should halt their validators and orchestrators while this incident is being investigated.
— Gravity Bridge (@gravity_bridge) May 30, 2026
The clean editorial framing is narrow: Gravity Bridge suffered a roughly $5.4 million unauthorized outflow, likely tied to compromised signing authority, and paused bridge operations while reviewing validator activity. Claims about compensation, relaunch timing, contract modifications or the exact compromise path remain unconfirmed until the team publishes a formal incident report.