The Gravity Bridge cross-chain bridge was drained of $5.4 million, with the contract nearly zeroed out

According to on-chain analyst Specter's detection, the bridge contract key of Cosmos ecosystem cross-chain protocol Gravity Bridge has reportedly been leaked, with approximately $5.4 million in assets stolen, including 4.3 million USDC, 274 WETH, 434,000 USDT, and approximately $64,000 worth of PAYG. The contract balance is now only about $85,000, nearly zeroed out. (Background: StakeDAO deployer's private key leaked, attacker minted 5.4 trillion vsdCRV out of thin air on Arbitrum) (Context: Has DeFi become a hacker's backyard? 13 attacks in one month, $630 million swept away) Key Highlights - Gravity Bridge bridge contract key leaked, approximately $5.4 million in assets stolen, contract balance only $85,000 remaining - Stolen assets include 4.3 million USDC, 274 WETH, 434,000 USDT, and $64,000 worth of PAYG - Second DeFi private key leak incident within three days, 2026 bridge attack losses now exceed $328 million cumulatively On-chain analyst Specter issued an alert today (5/30), pointing out that the bridge contract key of Cosmos ecosystem's veteran cross-chain bridge Gravity Bridge has reportedly been leaked, with attackers having moved approximately $5.4 million in assets from the contract. According to Etherscan on-chain records, the Gravity Bridge Ethereum-side contract currently holds only about $85,000 in balance, nearly emptied. Four Types of Assets Drained at Once The stolen assets breakdown is 4.3 million USDC (approximately 79.6% share), 274 WETH (approximately $553,000), 434,000 USDT, and approximately $64,000 worth of PAYG. The addresses involved are 0x7B58…da1F9 and 0x4d3c…C7A47. On-chain records show that the first address received deposits from Binance about 7 hours ago, then transferred the funds to the second address. The second address currently holds approximately 2,065 ETH (about $4.16 million), indicating that the attacker has already converted some of the stolen assets into ETH. Gravity Bridge is an early cross-chain bridge project in the Cosmos ecosystem, primarily responsible for asset bridging between Cosmos and Ethereum. Its Ethereum-side contract's security model theoretically requires signatures from more than two-thirds of validators to transfer funds, and the key leak means the attacker may have bypassed this multi-signature defense line. Two Incidents in Three Days, Private Keys Become DeFi's Number One Killer This is the second private key leak incident within three days. On May 27, the StakeDAO deployer's private key was also leaked, and the attacker, by reconfiguring LayerZero v2 cross-chain peer nodes, minted over 5.4 trillion vsdCRV out of thin air on Arbitrum and exchanged them for ETH. Private key leaks have become the primary attack vector for cross-chain bridge hackers in 2026. At least 8 major bridge protocol attacks have occurred this year, with cumulative losses exceeding $328 million, among which Kelp DAO ($293 million) and Drift ($285 million) are the largest cases, both involving stolen keys or administrator permissions. OpenZeppelin co-founder Manuel Araoz only last week publicly called on everyone to exit DeFi positions including Aave and MakerDAO, stating that "all DeFi is unsafe." The Gravity Bridge incident once again confirms his warning—attackers don't need to find smart contract vulnerabilities, they just need to obtain a key. As of press time, Gravity Bridge officials have yet to issue a statement on the incident. FAQ What is Gravity Bridge? How much was stolen? Gravity Bridge is a cross-chain bridge protocol in the Cosmos ecosystem, responsible for asset bridging between Cosmos and Ethereum. This time, the bridge contract key was reportedly leaked, with approximately $5.4 million in assets stolen, including 4.3 million USDC, 274 WETH, 434,000 USDT, and $64,000 worth of PAYG. How serious are the 2026 cross-chain bridge hacker attacks? At least 8 major bridge protocol attacks have occurred this year, with cumulative losses exceeding $328 million. Private key leaks are the primary attack vector, with Kelp DAO ($293 million) and Drift ($285 million) being the largest cases.