Gravity Bridge Loses $5.4M in Signing Key Compromise

Gravity Bridge, a Cosmos-native cross-chain protocol, was hit by a compromised-key attack over the weekend, resulting in the theft of roughly $5.4 million. The exploit, flagged by blockchain investigator Specter on Saturday, May 31st, stemmed from what he described as a signing key compromise — an unauthorized disclosure that let the attacker forge digital signatures and drain funds.

The looted assets included $4.3 million in USDC, 274 wrapped Ether valued at approximately $553,000, $434,000 in USDT, and 14.16 PAXG tokens priced at about $64,000. Security firm PeckShield noted that the bad actor has already laundered a portion of the stolen crypto, though the full scale of the obfuscation remains unclear.

This breach underscores ongoing security fragilities in the cross-chain and DeFi ecosystem, where private key management remains a critical attack vector. The incident has not yet drawn a formal reaction from the SEC or CFTC, but it aligns with regulators' heightened scrutiny of cross-chain bridges, which have been frequent targets for exploiters.

Gravity Bridge's market cap has not been disclosed publicly, but the $5.4 million loss is significant relative to the protocol's total value locked (TVL). The hack adds pressure on Cosmos ecosystem projects to shore up key management, especially as competitors like Chainlink's CCIP promote more hardened cross-chain infrastructure.

The Gravity Bridge team has yet to release a post-mortem or recovery plan. Community reaction on X has been critical of the protocol's security posture, with some developers calling for mandatory multi-signature and hardware-based key storage across all Cosmos bridges.