Across Protocol was attacked on its Solana deployment at roughly 5:30 AM UTC on July 17, 2026, the first security incident it has publicly disclosed since launching in 2021 and after more than $34 billion in bridged volume. No user funds were lost. That outcome is not luck, and it is the only reason this story is worth reading: Across is built so that the people who lose money in an attack are the ones who chose to take the risk, not the users passing through.

  • Losses were contained to the Risk Labs relayer, the foundation that supports Across, and did not touch the protocol or its users.
  • All in-flight Solana transfers were completed or fully refunded, and Solana deposits were re-enabled on July 18.
  • The attack vector has not been disclosed. A full post-mortem is expected this week and the team is tracking the attacker with SEAL 911.
  • No loss figure has been publicly confirmed at time of writing.
Pooled bridge custody compared with intent-based relayer fronting In a pooled bridge, users deposit into a shared locked contract holding hundreds of millions of dollars, and an attacker who breaks the contract drains user funds directly. In an intent-based bridge like Across, the user's deposit settles on the source chain while a relayer fronts its own capital on the destination chain to fill the order instantly, then claims repayment through an optimistic oracle. An attacker who breaks the fill logic takes the relayer's working capital, not a pool of user deposits. WHERE THE MONEY SITS WHEN A BRIDGE BREAKS Pooled custody bridge Users deposit Locked pool contract holds all user funds Attacker drains pool users lose deposits Intent-based bridge · Across User signs an intent Relayer fronts capital its own money, on destination UMA optimistic oracle settles repayment later Break the fill logic and you take the relayer's working capital. User deposits never pooled. genztech.blog
Fig 1 The architectural difference that decided who absorbed this loss. Pooled bridges concentrate user funds in one contract. Across never holds them.

What actually happened?

Across disclosed an incident on its Solana deployment early on July 17. The team stated that user funds were safe, all bridge transactions completed, and Solana deposits were temporarily disabled while it investigated. By July 18 deposits were re-enabled, the protocol was fully operational, and Across confirmed that all in-flight Solana transfers had been completed or refunded in full.

RelatedTokenized Stocks Hit Records as the DTCC Goes Live

The only party that may have lost money is the relayer operated by Risk Labs, the foundation supporting the protocol. Across has not published a loss figure and has not disclosed the attack vector. A post-mortem is expected this week.

Why did users lose nothing?

Because of where the money sits. A conventional bridge takes your tokens on the source chain, locks them in a contract, and mints or releases a representation on the destination chain. That contract is a pot, often holding hundreds of millions of dollars, and breaking it drains user funds directly. That is the mechanism behind most of the large bridge losses of the last four years.

Across works differently. You sign an intent describing what you want. A competitive relayer fills it on the destination chain immediately using its own capital, then claims repayment on Ethereum through UMA's optimistic oracle. Your funds are never pooled into a shared custody contract waiting to be drained. The capital genuinely at risk in the fill step belongs to the relayer, which is a professional actor that priced that risk into its fees.

This is risk placement as a design decision, and it worked exactly as intended under attack. That is a stronger claim than any audit.

What was the likely vector?

Across has not said, so treat what follows as informed context rather than a conclusion. Solana became a supported destination in July 2025 through the V4 upgrade, with an SVM spoke pool built on Anchor handling deposits, fills, and relayer refunds. That component is the newest and most complex part of the stack.

In April 2026, Asymmetric Research disclosed a vulnerability in that same area, where an attacker could potentially spoof deposit events and trick relayers into filling orders with no real deposit behind them. Across patched it immediately and no funds were lost at the time. The shape of this incident, relayer capital affected while user-facing contracts kept settling normally, is consistent with relayer-side risk rather than a spoke pool drain. The post-mortem will settle it.

  1. Jul 2025Solana support ships in the Across V4 upgrade SVM spoke pool built on Anchor
  2. Apr 2026Asymmetric Research discloses a deposit-spoofing flaw patched immediately, no funds lost
  3. Jul 17Attack on the Solana deployment at ~5:30 UTC deposits paused, users unaffected
  4. Jul 18Solana deposits re-enabled, protocol fully operational losses contained to the Risk Labs relayer
  5. This weekFull post-mortem expected vector and loss figure still undisclosed

Who is affected?

Users of Across are not out of pocket and do not need to take action. Relayers are the group carrying real exposure, and the incident is a reminder that relaying is a capital business with tail risk, not a passive yield. If you run one, the post-mortem is required reading before you resume filling on Solana at size.

RelatedTokenized Real-World Assets Cross $30B as Institutions Pile In

The wider group affected is everyone designing cross-chain infrastructure. Bridge exploits have dominated DeFi losses in 2026, and the default response has been more audits on the same pooled-custody design. Across just provided a live demonstration that changing where the capital sits does more than auditing the pot harder.

Our take

Do not read this as "Across is unhackable." It was hacked. Something in the Solana path let an attacker take money that was not theirs, the vector is still undisclosed, and until the post-mortem lands nobody outside the team knows how bad the underlying bug was.

Read it instead as a design lesson that generalises. The question that decided this outcome was not how good the audits were. It was: when this breaks, whose money is standing in the blast radius? Across answered that at architecture time by ensuring the answer is a professional relayer that opted in, rather than thousands of users who just wanted to move tokens. Most bridges answer it by accident, and the answer is their users.

We will judge the response on the post-mortem. Publishing the vector, the loss figure, and the fix within the promised week would be a genuinely strong showing. Quietly letting the timeline slip would say something else.

Primary sources

Original analysis by GenZTech. Incident details as disclosed by the Across team and reported by Crypto Times.