Gravity Bridge's Ethereum-side contract was drained of approximately $5.4 million in a May 30 exploit involving a compromised signing key rather than a smart contract bug. On-chain investigator Specter first flagged the incident, identifying two attacker addresses. The stolen assets included $4.3 million in USDC, 274 ETH ($553,000), $434,000 in USDT, and $64,000 in PAYG tokens. PeckShield confirmed the losses and noted the attacker moved funds through ChangeNow and Binance to obscure origins. The attacker swapped most stablecoins for ETH, now holding about 2,102 ETH ($4.23 million). Gravity Bridge, which connects Ethereum to Cosmos via IBC, had about $11.5 million TVL before the attack. The incident underscores persistent risks in cross-chain bridges where privileged keys create single points of failure, echoing past hacks like Ronin and Poly Network. While stablecoin issuers can blacklist addresses, funds sent through non-custodial services like ChangeNow are harder to recover. The remaining ETH stash is traceable but can be split or mixed.

Key facts

• $5.4 million stolen from Gravity Bridge Ethereum contract via compromised signing key.
• Assets include USDC, ETH, USDT, and PAYG tokens totaling $5.4M.
• Attacker swapped stablecoins for 2,102 ETH worth $4.23M.
• Bridge held $11.5M TVL before exploit; team has not responded.
• Exploit echoes past bridge hacks like Ronin and Poly Network.

KeyAudit data perspective