Across Protocol was attacked on its Solana deployment at roughly 5:30 AM UTC on July 17, 2026, the first security incident it has publicly disclosed since launching in 2021 and after more than $34 billion in bridged volume. No user funds were lost. That outcome is not luck, and it is the only reason this story is worth reading: Across is built so that the people who lose money in an attack are the ones who chose to take the risk, not the users passing through.
- Losses were contained to the Risk Labs relayer, the foundation that supports Across, and did not touch the protocol or its users.
- All in-flight Solana transfers were completed or fully refunded, and Solana deposits were re-enabled on July 18.
- The attack vector has not been disclosed. A full post-mortem is expected this week and the team is tracking the attacker with SEAL 911.
- No loss figure has been publicly confirmed at time of writing.
What actually happened?
Across disclosed an incident on its Solana deployment early on July 17. The team stated that user funds were safe, all bridge transactions completed, and Solana deposits were temporarily disabled while it investigated. By July 18 deposits were re-enabled, the protocol was fully operational, and Across confirmed that all in-flight Solana transfers had been completed or refunded in full.
RelatedTokenized Stocks Hit Records as the DTCC Goes Live
The only party that may have lost money is the relayer operated by Risk Labs, the foundation supporting the protocol. Across has not published a loss figure and has not disclosed the attack vector. A post-mortem is expected this week.
Why did users lose nothing?
Because of where the money sits. A conventional bridge takes your tokens on the source chain, locks them in a contract, and mints or releases a representation on the destination chain. That contract is a pot, often holding hundreds of millions of dollars, and breaking it drains user funds directly. That is the mechanism behind most of the large bridge losses of the last four years.
Across works differently. You sign an intent describing what you want. A competitive relayer fills it on the destination chain immediately using its own capital, then claims repayment on Ethereum through UMA's optimistic oracle. Your funds are never pooled into a shared custody contract waiting to be drained. The capital genuinely at risk in the fill step belongs to the relayer, which is a professional actor that priced that risk into its fees.
This is risk placement as a design decision, and it worked exactly as intended under attack. That is a stronger claim than any audit.
What was the likely vector?
Across has not said, so treat what follows as informed context rather than a conclusion. Solana became a supported destination in July 2025 through the V4 upgrade, with an SVM spoke pool built on Anchor handling deposits, fills, and relayer refunds. That component is the newest and most complex part of the stack.
In April 2026, Asymmetric Research disclosed a vulnerability in that same area, where an attacker could potentially spoof deposit events and trick relayers into filling orders with no real deposit behind them. Across patched it immediately and no funds were lost at the time. The shape of this incident, relayer capital affected while user-facing contracts kept settling normally, is consistent with relayer-side risk rather than a spoke pool drain. The post-mortem will settle it.
- Jul 2025Solana support ships in the Across V4 upgrade SVM spoke pool built on Anchor
- Apr 2026Asymmetric Research discloses a deposit-spoofing flaw patched immediately, no funds lost
- Jul 17Attack on the Solana deployment at ~5:30 UTC deposits paused, users unaffected
- Jul 18Solana deposits re-enabled, protocol fully operational losses contained to the Risk Labs relayer
- This weekFull post-mortem expected vector and loss figure still undisclosed
Who is affected?
Users of Across are not out of pocket and do not need to take action. Relayers are the group carrying real exposure, and the incident is a reminder that relaying is a capital business with tail risk, not a passive yield. If you run one, the post-mortem is required reading before you resume filling on Solana at size.
RelatedTokenized Real-World Assets Cross $30B as Institutions Pile In
The wider group affected is everyone designing cross-chain infrastructure. Bridge exploits have dominated DeFi losses in 2026, and the default response has been more audits on the same pooled-custody design. Across just provided a live demonstration that changing where the capital sits does more than auditing the pot harder.
Our take
Do not read this as "Across is unhackable." It was hacked. Something in the Solana path let an attacker take money that was not theirs, the vector is still undisclosed, and until the post-mortem lands nobody outside the team knows how bad the underlying bug was.
Read it instead as a design lesson that generalises. The question that decided this outcome was not how good the audits were. It was: when this breaks, whose money is standing in the blast radius? Across answered that at architecture time by ensuring the answer is a professional relayer that opted in, rather than thousands of users who just wanted to move tokens. Most bridges answer it by accident, and the answer is their users.
We will judge the response on the post-mortem. Publishing the vector, the loss figure, and the fix within the promised week would be a genuinely strong showing. Quietly letting the timeline slip would say something else.
- ReportingCrypto Times: Across reports first attack on Solana after $34B in bridge volume , incident timing and scope
- ReportingBloomingbit: Across says Solana hack did not affect user funds , confirmation of the relayer-only loss
- ReferenceChainalysis: inside the KelpDAO bridge exploit , contrast case for pooled-custody bridge failure
Original analysis by GenZTech. Incident details as disclosed by the Across team and reported by Crypto Times.
