Gravity Bridge Drained of $5.4M via Token Registry Poisoning
cybersecurity vulnerability defi cosmos ethereum gravity-bridge
trending_up Trend: cybersecurity

Gravity Bridge Drained of $5.4M via Token Registry Poisoning

calendar_month June 7, 2026

Summary

On June 4, 2026, Gravity Bridge, a key link between Cosmos and Ethereum, suffered an exploit resulting in a loss of approximately $5.4 million. The attacker exploited a vulnerability in how token identifiers are handled, poisoning the token registry with fabricated data to drain assets.

What happened?

The exploit targeted the validation logic of token metadata within the Gravity Bridge system. The attack sequence involved:

  1. Minting worthless tokens on the Osmosis DEX.
  2. Injecting a fabricated “denom” string into the bridge’s token registry.
  3. This “Registry Poisoning” allowed the attacker to trick the bridge into treating worthless tokens as legitimate assets, enabling the withdrawal of ~$5.4M worth of funds on the Ethereum side.

Why it matters

This incident highlights the persistent vulnerabilities inherent in cross-chain infrastructure. Bridges remain high-value targets and complex failure points in the DeFi ecosystem, as they require perfectly synchronized state management across disparate protocols. A single flaw in metadata handling can compromise the entire security model.

Evidence

Detailed technical post-mortems and on-chain data confirm the exploit path. Security researchers, including rekt.news, have documented the specific interaction between Cosmos denominations and the bridge’s Ethereum smart contracts that enabled the drain.

Analysis

The root cause was a lack of strict separation between token registration and the transfer mechanism. By allowing a user-controlled denom string to influence the internal mapping of tokens without sufficient validation, the bridge became susceptible to poisoning. This demonstrates that bridge security must extend beyond cryptography to include rigorous data sanitization for all cross-chain messages.

Practical Takeaways

  • For Bridge Operators: Implement strict whitelisting for token metadata and decouple registry logic from asset transfers.
  • For Users: Exercise caution when using bridges following major updates or the introduction of new token types. Monitor bridge treasury health.
  • For Developers: Input sanitization is critical even for on-chain data; never trust cross-chain metadata blindly.

Open Questions

  • To what extent are other Cosmos-Ethereum bridges using similar logic susceptible to this attack?
  • Can the stolen funds be frozen via centralized stablecoin blacklists or other on-chain measures?

Sources

  1. rekt.news: Gravity Bridge Rekt
  2. GhostSwap: Gravity Bridge Exploit Analysis