The best robber is the one who can wait.
Bridges between blockchains have again shown their weakness: money may disappear not because of an error in the code, but because of control over those who confirm the operations. This happened with Gravity Bridge, where the attacker withdrew about $ 5.4 million after capturing the management of the set of validators in the Ethereum network.
Gravity Bridge connects Ethereum with the Gravity chain based on Cosmos. The contract in Ethereum issues funds only after the operation is confirmed by validators with two-thirds of the voting force. According to Blackhart, the attacker managed to get signatures from real validators and changed the composition of the set: instead of 58 participants there were 34. This step focused the control and then allowed to sign the withdrawal of funds.
From the bridge brought 4.35 million USDC, 274 ETH, 434 thousand. USDT and 14.16 PAXG backed by gold. The total amount of damage amounted to about $ 5.4 million. After the theft, the assets were exchanged for ETH and transferred to a separate wallet. Part of the funds went through ChangeNow and Binance, and at the time of the report, the attacker had about 2059 ETH.
The code of the contract itself, Gravity Bridge, according to Blackhart, was not hacked. The contract worked as it was arranged: checked the signatures of the validators and accepted a new state. The problem was that the signatures were the only barrier. There was no delay in the system before changing the set of validators, a separate protective mechanism, an emergency stop or a limit for the rapid withdrawal of large sums.
The attack began with a wallet that at the beginning of 2025 already worked with Gravity as a legal repeater, and then for about 280 days did not show activity. On May 28, 2026, the wallet caused the updateValset function and reduced the set of validators from 58 to 34. The old set confirmed the change with the right vote threshold.
After about 28 hours, a new, more concentrated set of validators signed four output packages. All assets went to one address, after which the tokens were exchanged for ETH and reduced on the wallet for storage. BlackHart considers the most likely not accidental consent of dozens of validators, but the fact that the attackers compromised the automated signing system.
Other bridges and protocols, according to the report, were not affected. The funds that were in the contract of Gravity Bridge on Ethereum, were withdrawn. The stolen assets have not yet been recovered.
The case resembles attacks on Ronin Bridge and Harmony Horizon in 2022, where attackers also gained access to a sufficient number of signatures and were able to withdraw funds without hacking the logic of the contract. In such schemes, the danger lies not only in the program code, but also in who controls the keys, how the transaction check is arranged and whether the command has time to stop suspicious changes.
Blackhart recommends Gracity and validators replace all keys, check the automatic signature chain and restore the legal composition of validators only after manual verification. For bridges in general, experts advise to add a delay before changing the composition of validators, the mechanism of emergency pause and the withdrawal limit, so that one capture of signatures does not turn into an instant devastation of the contract.
Bridges between blockchains have again shown their weakness: money may disappear not because of an error in the code, but because of control over those who confirm the operations. This happened with Gravity Bridge, where the attacker withdrew about $ 5.4 million after capturing the management of the set of validators in the Ethereum network.
Gravity Bridge connects Ethereum with the Gravity chain based on Cosmos. The contract in Ethereum issues funds only after the operation is confirmed by validators with two-thirds of the voting force. According to Blackhart, the attacker managed to get signatures from real validators and changed the composition of the set: instead of 58 participants there were 34. This step focused the control and then allowed to sign the withdrawal of funds.
From the bridge brought 4.35 million USDC, 274 ETH, 434 thousand. USDT and 14.16 PAXG backed by gold. The total amount of damage amounted to about $ 5.4 million. After the theft, the assets were exchanged for ETH and transferred to a separate wallet. Part of the funds went through ChangeNow and Binance, and at the time of the report, the attacker had about 2059 ETH.
The code of the contract itself, Gravity Bridge, according to Blackhart, was not hacked. The contract worked as it was arranged: checked the signatures of the validators and accepted a new state. The problem was that the signatures were the only barrier. There was no delay in the system before changing the set of validators, a separate protective mechanism, an emergency stop or a limit for the rapid withdrawal of large sums.
The attack began with a wallet that at the beginning of 2025 already worked with Gravity as a legal repeater, and then for about 280 days did not show activity. On May 28, 2026, the wallet caused the updateValset function and reduced the set of validators from 58 to 34. The old set confirmed the change with the right vote threshold.
After about 28 hours, a new, more concentrated set of validators signed four output packages. All assets went to one address, after which the tokens were exchanged for ETH and reduced on the wallet for storage. BlackHart considers the most likely not accidental consent of dozens of validators, but the fact that the attackers compromised the automated signing system.
Other bridges and protocols, according to the report, were not affected. The funds that were in the contract of Gravity Bridge on Ethereum, were withdrawn. The stolen assets have not yet been recovered.
The case resembles attacks on Ronin Bridge and Harmony Horizon in 2022, where attackers also gained access to a sufficient number of signatures and were able to withdraw funds without hacking the logic of the contract. In such schemes, the danger lies not only in the program code, but also in who controls the keys, how the transaction check is arranged and whether the command has time to stop suspicious changes.
Blackhart recommends Gracity and validators replace all keys, check the automatic signature chain and restore the legal composition of validators only after manual verification. For bridges in general, experts advise to add a delay before changing the composition of validators, the mechanism of emergency pause and the withdrawal limit, so that one capture of signatures does not turn into an instant devastation of the contract.
