Cross-chain bridge Across Protocol suffered a security incident on its Solana deployment in the early hours of July 17, marking the first attack the protocol has publicly disclosed since it launched in 2021 with a record of zero exploits across more than $34 billion in bridged volume.
In a statement posted on X, the team wrote that “at ~5:30 AM UTC today, Across was attacked on Solana. User funds are safe. No users were affected, and all bridge transactions have been completed.”
Loss Contained to the Risk Labs Relayer
The most important detail in the disclosure is where the exposure sits. According to the team, “the only funds potentially lost belong to the relayer operated by Risk Labs (the foundation supporting Across).”
This distinction matters because of how Across is built. The protocol runs on an intent-based model in which relayers front their own capital on the destination chain to fill user transfers instantly, and are later repaid through settlement on Ethereum verified by UMA’s optimistic oracle. Users never hand custody of their assets to a pooled bridge contract that can be drained. When something goes wrong on the fill side, it is the relayer’s at-risk capital that takes the hit, not user deposits.
That architecture appears to have worked as designed here. The attack landed on the relayer operated by Risk Labs itself, which is one of the participants in the otherwise permissionless relayer network, and the team confirmed that all in-flight bridge transactions were completed for users.
As a containment measure, Solana deposits have been disabled while the protocol “is otherwise operating unaffected.”
In a follow-up post at 4:35 PM IST on July 17, the team reiterated that “your funds are safe and refunds will process automatically,” directing anyone needing help to file a support ticket directly on the Across website and warning users not to click phishing links circulating on the timeline.
The Addresses Being Tracked
Across said it is coordinating the trace with SEAL 911, the emergency response group of whitehats, auditors, and security researchers that has become the industry’s first call during live incidents. The team published three addresses tied to the attacker, one on Solana and two on EVM chains:
- Solana: 8bkoZTaTBBtAPczgHqD4XVxWtvBkiy4crtexEtYDYSL
- EVM: 0xa0C0e9f307b5A26cA3FB5891c19154fc7A02BeF7
- EVM: 0xA6fb971F3B7a9b9F76EdA76bc89268fe26560189
The presence of both Solana and EVM addresses on the tracking list suggests the attacker has already begun moving value across chains, a standard laundering pattern in bridge-adjacent incidents where proceeds are consolidated on Ethereum before being routed through mixers or exchange deposit addresses.
Neither Across nor any independent investigator has published a dollar figure for the relayer’s loss at the time of writing, and no attribution has been made. The team said a full post-mortem will follow “in the coming days” and cautioned that official communications will only come from its verified account.
Why Solana Was the Weak Edge
The attack vector has not been disclosed, but the Solana leg of Across has been a known area of security complexity. Solana only became a supported destination in July 2025 through the protocol’s V4 upgrade, its first expansion beyond EVM chains, with the SVM spoke pool built on the Anchor framework handling deposits, fills, and relayer refunds.
In April 2026, security firm Asymmetric Research disclosed a vulnerability in exactly this part of the stack. Because Solana has no canonical event system and events are often reconstructed from transaction traces, with failed transactions still emitting data, a bug in Across could have allowed attackers to spoof deposit events and trick relayers into filling orders with no real deposit behind them.
Across patched that issue immediately, and no funds were lost at the time, but the disclosure highlighted that the trust boundary between Solana’s on-chain state and the off-chain relayer software watching it is the most delicate seam in the system.
Whether today’s attack exploited a similar class of issue in event handling, a flaw in the relayer bot infrastructure, or a compromised key will only be confirmed by the post-mortem. What can be said is that the incident fits the profile of relayer-side risk rather than a spoke pool drain, since user-facing bridge contracts continued to settle transactions normally throughout.
A Bruising Year for Solana DeFi Security
The incident adds to a difficult 2026 for security on Solana. In April, Drift Protocol lost roughly $285 million in the largest DeFi hack of the year, an operation that SEAL 911 assessed with medium-high confidence was carried out by the same North Korean state-affiliated threat actors behind the 2024 Radiant Capital breach.
That attack was driven by social engineering and durable nonce abuse rather than a smart contract bug, and it pushed the ecosystem into a broader conversation about operational security around keys, admin access, and off-chain infrastructure.
For Across, the reputational stakes are specific. The protocol has marketed itself for years on a perfect security record, and its intent-based design was repeatedly cited as the reason there was no pooled liquidity for an attacker to take. Today’s incident does not break that user-safety thesis, since no user lost funds, but it does show that the solver and relayer layer carries real capital at risk, and that the entity absorbing the loss this time is the foundation at the center of the project.
The full picture, including the size of the relayer’s loss, the exploit mechanism, and any fund recovery efforts, will depend on the post-mortem and on independent tracing of the three flagged addresses.
This is a developing story and will be updated as on-chain investigators publish their findings.
Also Read: Solana Protocol DeFiTuna Hit by $580K Exploit, USDC Pool Left Short
