Across Protocol was hit on Solana on July 17, but the damage stopped where it should have stopped: with the relayer taking the risk. Users did not lose funds.
At roughly 5:30 AM UTC on July 17, an attacker found a hole in Across's Solana integration and used it to trick the bridge's relayer system into paying out against deposits that had not actually gone through. Across said user funds were safe, all pending transfers were completed or refunded, and only the relayer operated by Risk Labs was affected.
That's the story. A bridge got hacked, and the people using it were made whole.
According to The Crypto Times, the incident was the first attack Across has publicly disclosed since launching in 2021, after more than $34 billion in bridged volume. Across paused Solana deposits while it investigated, coordinated with SEAL 911 to track the attacker, and later re-enabled full operations on July 18, ChainThink reported through KuCoin. A full post-mortem is still expected in the coming days.
Here's the trick. Solana has no canonical event system. Failed transactions can still emit data, the same way a rejected form submission might still fire a confirmation email if nobody checks the underlying state. Across's relayers, the parties that front money to fill a user's bridge order before final settlement, use emitted events to decide when to pay out. The attacker appears to have spoofed a deposit signal tied to a transaction that never succeeded, and at least one relayer paid out against a deposit that did not exist.
This was not a random weak spot. In April 2026, Asymmetric Research disclosed a vulnerability in the same broad part of Across's Solana stack. That issue involved Solana's event model, failed transactions, and the risk that relayers could be fooled into filling orders without a real deposit behind them. Across patched that bug at the time, and no funds were lost. The post-mortem now has one job: show whether July 17 reopened that same class of problem or found the next one beside it.
Why Risk Labs Took the Hit
Across is built so relayers carry the immediate risk, not depositors. When you bridge assets through Across, a relayer pays you out of its own capital first and gets reimbursed later after settlement. That means a bad actor exploiting the relayer side drains the relayer, not the user waiting on the destination chain.
The user never feels it.
In this case, the exposed relayer was operated by Risk Labs, the foundation supporting Across. Across described Risk Labs as one participant in an otherwise permissionless relayer network, and said every pending Solana transfer was either completed or fully refunded. Risk Labs ate the loss. Nobody else did.
Compare that with how the worst bridge hacks have usually played out. Ronin lost about $625 million in 2022. Wormhole lost about $325 million the same year. Those attacks hit pooled bridge liquidity, so a breach became a direct hit to user funds sitting in one place. Across's model does not remove risk, but it changes where the risk lands. On July 17, that distinction mattered.
Solana Still Has the Hard Question
Frankly, this is not only an Across story. It is a Solana tooling story. If protocols are reconstructing off-chain state from transaction traces, and failed transactions can still leave behind misleading emitted data, then bridges, relayers and other DeFi systems have to prove they are checking state rather than trusting noise.
That is a narrow technical point with a large financial edge. Solana support only came to Across through its V4 expansion, and the migration guide for the Solana integration names the SVM SpokePool address and Solana chain ID, while warning relayers about Solana-specific fill and repayment details. This is not mature, invisible infrastructure yet. It is still new enough that the sharp parts are visible.
Across has not said how much Risk Labs lost. It has not identified the attacker. The team did publish attacker-linked addresses and told users to rely only on official channels, which is exactly the kind of dull operational detail worth keeping in the story because phishing follows incidents like this almost immediately.
For Across, the honest headline is not that the bridge was untouched. It was touched. It failed on the Solana relayer edge. But the architecture did the thing it was supposed to do under stress: it kept users away from the blast area. The next question belongs to the post-mortem, and to every Solana protocol that watches emitted data and calls it proof.
Also read: XRP Withdrawals From Binance Hit Their Highest Level Since 2024 • France Blocks Polymarket Nationwide After Hackers Rigged Weather Bets • Congress Takes the CLARITY Act to Wall Street as the Senate Clock Runs Out