The bridge did not break. The people running it were made to break it themselves.
On May 30, Gravity Bridge, the cross-chain protocol connecting Ethereum to the Cosmos ecosystem, was drained of roughly $5.4 million in digital assets. Blockchain security firm PeckShieldAlert flagged the exploit first, reporting losses of $4.3M in USDC, 274 ETH worth approximately $553K, $434K in USDT, and 14,164 PAYG tokens valued at around $64K.
The 28-Hour Setup Nobody Caught
About a day before the drain, a wallet moved.
As BlackHartInc posted on X, that wallet had once been a legitimate Gravity Bridge relayer in early 2025 before going dormant for roughly 280 days. When it woke up, it called updateValset, shrinking the active validator set from 58 validators down to 34. The transaction is on-chain at Etherscan.
That move alone concentrated voting power at the top. But what made it work was worse: the original 58-validator set signed it themselves. Enough legitimate validators, by voting power, cleared the 2/3 threshold required by the contract. The protocol did exactly what it was designed to do.
Twenty-eight hours later, the newly concentrated set signed the withdrawals.
Four submitBatch calls drained the bridge into wallet 0x7b58…da1f9 in quick succession, according to BlackHartInc’s thread on X. The assets came out clean. No contract bug, no reentrancy, no flash loan.
Not a Code Bug. Something Worse.
“Root cause: dozens of independent validators do not get phished at the same moment. The most likely explanation is that their automated signing pipeline was poisoned, and they signed the malicious valset change without seeing what it did. And the contract had no timelock, no guardian, and no circuit breaker.”
That is how BlackHartInc described the attack on X. The validators were not tricked individually. Their shared signing infrastructure was.
Gravity Bridge’s Ethereum contract works by maintaining a checkpoint of the Cosmos validator set. Funds only release when validators holding 2/3 of voting power sign off. There is no admin override. Signatures are the authority. Once the signatures were valid, the drain was instant and had no reversal path.
The stolen funds were then swapped to ETH and consolidated at address 0x4d3c…7A47. As BlackHartInc posted on X, that wallet still held roughly 2,059 ETH worth approximately $4.2M at the time of the post. A portion had already been pushed through ChangeNow and Binance before the wallet was flagged.
PeckShieldAlert confirmed on X that the hacker still held 2.102K ETH worth around $4.23M after the partial laundering, with movement traced through both platforms.
Validators Told to Halt
The Gravity Bridge official account posted on X directing validators to halt their validators and orchestrators while the incident was under investigation. No timeline or recovery plan was included in the post at time of publication.
Cosmos-based bridge users watching their cross-chain positions closely are now the ones absorbing that silence.
Same Shape, Different Bridge
As BlackHartInc noted on X: “Ronin, Harmony, Multichain, now Gravity. Same shape every time: the code verifies signatures correctly, and the attacker subverts the parties doing the signing.”
Bridge security failures are not slowing down. PeckShieldAlert data puts total bridge hack losses above $328 million across eight incidents through mid-May 2026 alone. That figure does not include Gravity Bridge. The Verus-Ethereum bridge lost $11.5M on May 18 via a verification bypass. Per DefiLlama’s hacks database, bridges account for $3.2 billion of the $16.6 billion in total value lost across all of crypto history, a disproportionate share given how few bridge protocols exist.
A timelock and a guardian pause on validator-set changes would likely have caught this, BlackHartInc posted on X. With a delay in place, someone would have had time to see what the valset change actually did before it went live.
Without one, the contract confirmed the signatures and released the funds. That was the entire attack.
