Crypto Gloss

Cross-Chain Bridge Security

Cross-chain bridges are necessary infrastructure for a multi-chain world: if you hold ETH and want to use a Solana DeFi protocol, something must transfer your value across blockchains. But bridges are also DeFi’s most dangerous attack surface. The combination of large amounts of locked value, complex multi-party cryptography, and the difficulty of formal verification makes bridges a prime target. Between 2021 and 2024, bridge exploits stole more value than all other DeFi categories combined. Understanding bridge mechanics — and their failure modes — is essential for anyone moving assets between chains.

Why Bridges Exist

Blockchains are isolated by design. Bitcoin doesn’t know what’s happening on Ethereum. Ethereum doesn’t know what’s happening on Solana. Each chain has its own consensus, its own state, its own rules.

The problem:

  • Ethereum has DeFi liquidity depth but high fees
  • Solana has speed but different token standards
  • Bitcoin has the most secure money but no smart contracts
  • A user wants to use their ETH as collateral on a Solana lending protocol

The solution (bridges):

  1. Lock ETH on Ethereum (sent to a bridge smart contract)
  2. Mint “wrapped ETH” on Solana (representing a claim on locked ETH)
  3. User can now use wrapped ETH on Solana
  4. To exit: burn wrapped ETH on Solana → bridge releases locked ETH on Ethereum

This lock-and-mint model is the core of most bridges, and the locked funds pool is why bridges are hacker targets.

Bridge Architecture Types

The protocol is built around the following components.

1. Externally Verified (Multi-sig / Oracle-based)

  • When a deposit is detected on chain A, validators sign a message authorizing mint on chain B
  • Risk: If enough validators are compromised, the signature threshold is reached fraudulently
  • Examples: Early Wormhole, Multichain (before hack), early Ronin

2. Natively Verified (Light Clients)

  • The light client independently verifies that a deposit occurred on chain A
  • No external validators needed — cryptographic proof only
  • Risk: Light client implementation bugs; much safer than multi-sig
  • Examples: Near Rainbow Bridge (Ethereum ↔ Near)

3. Optimistically Verified (Fraud Proofs)

  • If a fraudulent message is detected during challenge window, challenger submits fraud proof
  • Risk: Requires active watchers to detect fraud; long latency (7 days on optimistic rollups)
  • Examples: Nomad (optimistic bridge)

4. ZK-Verified (Validity Proofs)

  • Cryptographically most secure; no trust assumptions
  • Risk: ZK proof system bugs; currently high cost and latency
  • Examples: zkBridge (prototype), Polygon zkEVM bridges

Major Bridge Hacks

The following sections explain how this works.

Ronin Network — $625M (March 2022)

Mechanism: Ronin used a 5-of-9 multi-sig for bridge validation. Lazarus Group (North Korean state hackers) compromised 5 validator keys over months — 4 through direct compromise, 1 via a fake job offer → malicious PDF → compromised Sky Mavis employee computer. With 5 keys, they forged 2 withdrawal transactions.

Lesson: Multi-sig security is only as strong as its key holders’ operational security. Sky Mavis had also given Axie DAO (partner) an extra validator key they forgot to revoke.

Wormhole — $325M (February 2022)

Mechanism: A bug in the Solana-side smart contract allowed an attacker to create a “fake” guardian set signature that bypassed the actual guardian set validation. The attacker minted 120,000 wETH on Solana backed by no actual ETH on Ethereum.

Notable: Jump Crypto (Wormhole’s backer) immediately replenished the 120,000 ETH to make users whole — a rare instance of a backer fully covering losses.

Lesson: Smart contract code review must cover all authority/signature validation paths. The bug was a missing instruction validation check.

Nomad — $190M (August 2022)

Mechanism: Nomad used an optimistic fraud-proof model. A routine upgrade accidentally set a trusted root value to 0x0000... (zero). This meant that ANY message with a zero proof was considered valid. One attacker discovered this and copied the exploit transaction, changing only the destination address. Within hours, hundreds of copycats had drained the bridge in a “free-for-all” — almost all funds gone in 2 hours.

Lesson: Even secure architectures can be broken by routine upgrades introducing trivial but catastrophic bugs.

Multichain — $130M+ (July 2023)

Mechanism: The Multichain CEO (Zhaojun) was arrested by Chinese authorities in 2023. Private keys for the bridge were held by him personally. After his arrest, someone (unclear who) drained the bridge funds. The project went offline.

Lesson: Trusted custodians of bridge keys create single points of failure. Centralized key management cannot be “decentralized” by branding.

Bridge Security Best Practices (for Projects)

  1. Minimize locked value: Don’t accumulate more than necessary in bridge contracts
  2. Multi-sig with opsec: Hardware security modules, threshold certs, diverse key holders across geographies
  3. Light clients over oracles: Natively verified > externally verified when technically feasible
  4. Independent audits: Multiple top-tier auditors (Trail of Bits, OpenZeppelin, Certik)
  5. Formal verification: Mathematical proofs of correctness for critical paths
  6. Insurance/backstop: Nexus Mutual cover, protocol insurance fund
  7. Bug bounty: High value Immunefi bounties attract white-hat researcher attention
  8. Timelocks: Delay large withdrawals to allow detection of anomalous patterns
  9. Rate limits: Cap how much can flow in/out per block or hour

User Best Practices

For bridging assets:

  1. Prefer canonical/native bridges (Arbitrum Bridge, Optimism Bridge, Polygon Bridge) over third-party bridges — canonical bridges are operated by the L2 team, have stronger security incentives
  2. Use well-audited, established bridges (LayerZero, Wormhole, Synapse)
  3. Don’t bridge more than you need at once — consider gas costs vs. risk
  4. Check bridge TVL: very low TVL bridges have less incentive for security investment
  5. Use explorers (LayerZero Scan, Wormhole explorer) to verify transaction status

To get started:

  • Acquire assets from
  • Never bridge from a hardware wallet — bridge transactions are complex; use software wallet with hardware confirmation if possible
  • Store long-term holdings in cold storage:

State of Bridge Security (2024)

The bridge hacking wave of 2021-2022 produced significant improvements:

  • LayerZero introduced DVN (Decentralized Verifier Networks) allowing applications to choose their own verification security model
  • ZK bridges moved from research to early production
  • Insurance protocols (Nexus Mutual, InsurAce) scaled bridge cover capacity
  • Bug bounties on Immunefi include some of the largest payouts in software history ($10M+)

Total bridge hack losses declined in 2023-2024 vs. 2021-2022, suggesting security improvements were effective — though no major bridge has been mathematically proven secure.

Social Media Sentiment

Bridge security is one of crypto’s most technically discussed topics. The Ronin ($625M) hack shocked the ecosystem not because of sophisticated cryptography but because of basic operational security failures — a fake job offer PDF compromising a private key. The Nomad hack turned into dark comedy as random copycats drained tens of millions simply by changing destination addresses in copied transactions. The general crypto security community consensus: externally-verified multi-sig bridges are fundamentally insecure for billions of dollars of locked value; the correct direction is ZK-verified or natively-verified light client bridges. LayerZero’s DVN model is viewed as a pragmatic intermediate step. Until ZK bridges are fully production-ready and proven at scale, “don’t put more in bridges than you can afford to lose” remains solid advice.

Last updated: 2026-04

Related Terms

Sources

Buterin, V. (2022). Why the Future Will Be Multi-Chain But Not Cross-Chain. Ethereum Research Forum (Vitalik’s Blog).

Qin, K., Zhou, L., Livshits, B., & Juels, A. (2021). Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit. Financial Cryptography and Data Security.

Eskandari, S., Moosavi, S., & Clark, J. (2020). SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain. Financial Cryptography and Data Security Workshops.

Zamyatin, A., Al-Bassam, M., Zindros, D., Kokoris-Kogias, E., Moreno-Sanchez, P., Kiayias, A., & Knottenbelt, W. (2019). SoK: Communication Across Distributed Ledgers. Financial Cryptography and Data Security.

Chainalysis. (2022). The 2022 Crypto Crime Report: Cross-Chain Bridge Hacks. Chainalysis research report covering the Ronin, Wormhole, Nomad, and Harmony bridge exploits — the largest DeFi losses in history to that point.