Why Cross-chain Bridges Are So Vulnerable to Hacking

December 2021 — Network Log4j is a widespread logging library used by an incredibly high percentage of the world's Java code. This flaw wasn't in an operating system, nor a major app. It was a utility, which most users had never even heard of, and that lived in the belly of systems that were audited, maintained and defended over many years. Within a few hours of being disclosed publicly, exploitability scanners were scanning every accessible server on the Internet for it! It took months for the patch to propagate completely.

It is not a story of blockchain. But it is the best lens for understanding how cross-chain bridges continue to be hacked. And the individual blockchains — Bitcoin, Ethereum, Solana — were baked with extraordinary care for their consensus mechanisms, their cryptographic axiomatics, their validator incentive structures. Their underlying protocols have gone through years of research and adversarial testing. They had their bonds forged separately, in different tight constraints and at the hands of different teams, rarely very scrutinised. And that money is tied to these connections.

What a Bridge Is and a Little Why It Needs to Be There

Blockchains do not communicate together natively. Bitcoin has no way whatsoever of knowing what takes place on Ethereum. It is no different with Ethereum's smart contracts, which are blind to Solana's state. Again, by design each network is isolated — a closed system that is secured by the very nature of its isolation. The validators of that chain will only agree to anything in line with the rules, without any externally provided data that they cannot verify.

Practically, this becomes a problem when the ecosystem grows. If you want to use Ethereum-based DeFi but only have Bitcoin, there currently is no direct route. This would also mean selling their Bitcoin, buying Ethereum on a centralized exchange and going from there — but that reintroduces exactly the type of custodial intermediary decentralized finance is supposed to remove. Bridges emerged to fill the gap between chains as the need for a decentralized route became undeniable.

Lock-and-mint is the most widely used bridge architecture. A user deposits tokens on chain A and locks them in a smart contract. This deposit is monitored and attested by a quorum of validators or a multisig committee. This creates an equal amount of wrapped tokens on chain B — a synthetic backed by the promise that the collateral exists to back-to-back its value on the other side. Exit — The user burns wrapped tokens on chain B, the validators record this event and the locked assets are unlocked on chain A.

The elegance of this model is also the problem. These locked assets are held in one single contract. They do not move. They accrue. Bridge is a vault.

Sidechains and their implementation in cross-chain contracts were initially formalized in a 2014 paper. Atomic swaps — cryptographic protocols for trustless peer-to-peer asset exchange between chains — were first introduced in 2018. Both of these early methods had since terrible glaring scalability issues. Due to the consensus mechanisms used, atomic swaps are bilateral and require matching buyers and sellers before any exchange occurs; they cannot function as generalised liquidity infrastructure. The lock-and-mint bridge solved scalability by adding a pool of locked collateral that anyone could draw against — and consequently, it generated basically a honeypot.

Practical bridges first came into existence between 2020 and 2022 when the DeFi boom generated real demand for moving capital across chains. This generation was embodied in Ronin Bridge, which was designed for the Axie Infinity gaming ecosystem. Wormhole, which connected Solana and Ethereum; the Harmony Horizon Bridge, which attached Harmony's blockchain to Ethereum also had this privilege. Each of these employed small committees of validators to sign confirmations of cross-chain transfers – groups composed typically of between five and twelve signers (known as a committee) whose collective signature would be used to approve any withdrawal. It was economical to run, and rapid to react. It was also a single point of failure that attackers could calculate around mathematically —

Four Hacks, Four Different Failures with a Common Architecture

In 2022, there was an outbreak of bridge exploits that caused aggregate losses to exceed $2 billion. Four of these, however, stand out — not because they were technically similar — they were not — but that each one illustrates a different way the same architecture fails.

Largest single DeFi exploit in history. In a moment that would turn out to the largest single-defi exploit of all time, Ronin Bridge was hacked for $624 million on March 23rd 2022. To authorize a withdrawal, the Ronin validator set relied on five-of-nine signatures. In March alone, four keys owned by Sky Mavis — the developers behind Axie Infinity — were compromised after attackers carried out a spear-phishing attack disguised by a fake job offer. However, in the months earlier to this incident, Sky Mavis had informally granted them temporary signing authority over a fifth key so they could handle transaction volume and that delegation was never revoked. The assailants had five signatures against themselves. In two transactions they siphoned 173,600 ETH and $25.5 million USDC out of the network. It took six days to discover the breach.

In February 2022, Wormhole lost $326 million through an entirely different failure, signalling the end of a seven-week long fall. The security bug, involving a deprecated function in the Solana smart contract — code that should have been removed as part of a regular upgrade but wasn't — enabled an attacker to bypass signature validation. The attacker issued a fake deposit attestation, minted 120,000 wrapped Ether with nothing backing it and withdrew actual Ether from the Ethereum side. It said that the flaw stemmed from remedial code that wasn't fully cleaned up and nobody spotted it in a review.

Nomad collapsed through a mechanism in August 2022 that was even more humiliating. By routine upgrading, a critical validation parameter was reset to zero causing the contract to treat any transfer proof as valid. Of these, once it was uncovered and publicly disclosed, more than 300 various addresses — not sophisticated attackers, many just as common opportunists — swooped in on the bridge in a free-for-all first-come-first-served drain. $190 million was gone.

All attackers had to do was acquire two of the signing keys critical to the operation of Harmony's Horizon Bridge — right at its compromised threshold. However, there was never any public confirmation on how those keys were acquired. The takeaway was that a 2-of-5 signing threshold for a bridge with nine figures of assets — even one that's well-written — just ain't gonna cut it.

The pattern continued into 2023. Multichain, the most prominent cross-chain routing protocol that experienced a $126 million loss in July 2023, was not lost through lines of exploitative code but because its CEO was detained in China and his personally held private keys were used to deplete the bridge’s funds. Orbit Chain was attacked when 7 out of its 10 multisig keys were attacked, causing a loss of $81 million. The single biggest reason why the exploit was catastrophic rather than just bad in every case, was simply that a single contract with all assets locked had only just a few keys who could control them.

Blockchains Were Thoughtful. Their Connections Were Not

Ethereum spent years preparing for its transition to proof of stake. Professional mathematicians have been analyzing the cryptographic primitives behind Bitcoin transaction signing for more than a decade. Preparing major blockchains for deployment at scale received a lot of academic and engineering attention on their incentive structures.

Bridges had no such development period. They arose out of practical challenges cobbled together in a hurry and meant really for capturing exigent demand during a time when DeFi was growing faster than anyone could analyze — patchworked onto blockchains which weren't built to interoperate, but without either the institutional resources or the adversarial research community that picked apart base protocols. This is how bugs and vulnerabilities come to be in any complex system: something is added on top of existing infrastructure without coming through the quality needed within that design, which means it should have been a first class design concern. Bridges always came out of the gate with big value locked — because that is how they work — and allowed engineering shortcuts to be immediately consequential.

In January 2022, weeks prior to the first major bridge exploit of that year, Vitalik Buterin explicitly noted this structural risk. He cautioned that bridges give rise to systemic risk, as an attack of 51% could in principle target all the properties of assets locked across many chains. While his exact worry was not the validator key attacks that did happen, but rather the more abstract idea that cross-chain systems both inherit and amplify the risks of their component chains, this principle is proved out in practice.

Each successive generation of the major bridges has addressed other issues but maintained the same core vulnerability, and these factors help to explain why:

Small multisig committees cheap, fast and trivially targeted by key theft and phishing — Generation 1 (2020–2022)

Generation 2 → (2023–2024) Wallets with wide validator sets, utilising economically incentivized verifier networks to mitigate key compromise risk and reduce trust in the honesty of off-chain operators.

This is the first architecture that removes all trust in human operators — through zero-knowledge proofs allowing you to mathematically verify the cross-chain state (in Generation 3 – 2025–present) but brings up new complications: proof generation cost, latency and circuit correctness.

Not even the safest generation of bridges has completely solved this problem. This means that zero-knowledge proofs are as good as the circuits from which they were created. Circuit bugs aren't completely unheard of, however. And the economic incentives that draw in large TVL to bridges also attract proportionally funded hackers.

Perhaps the most significant architectural change is replacing trusted intermediaries with mathematical verification. Unlike a ZK bridge, which does not raise the question "can we trust the validators? — it produces a cryptographic proof that something happened on the source chain for a particular transaction, and it submits this evidence to the destination chain for on-chain verification. At that point, compromising a group of humans would be more like breaking the underlying cryptography than an actual security guarantee.

Chainlink employs dozens of independent networks to inform its Cross-Chain Interoperability Protocol (CCIP), with an extra Risk Management Network that detects anomalous behaviour. No cross-chain message can be executed without both chains' agreement. Neither can unilaterally approve a transfer. This is defense in depth applied to the bridge architecture itself.

The third direction is about intent based bridges. Instead of a deep lock-up of collateral that anyone could potentially drain, they match users with professional liquidity providers–"solvers" who execute cross-chain transfer using their own inventory. You are paid by the user and the bridge itself has no pooled collateral that is a honeypot. The attack surface moves from "rob the vault" to "defraud a single solver", which is a much smaller prize.

A more robust approach would be to have an expanded framework between the two chains — one that was more than just a bridge but much closer to a shared security layer — which adds technical robustness and requires chain teams themselves, not merely third-party developers. What is closest to the realization of this concept in practice today is Polkadot's parachain model, where blockchains attach to a common relay chain and inherit security from it. The problem with it is that it only runs on the Polkadot ecosystem. To bridge between Ethereum and Bitcoin in the same way would require modifications to Bitcoin's protocol that its community has repeatedly refused to implement.

All of these are harder to build than describe. Constructing zk proofs for complex cross-chain state is expensive and requires cryptographic expertise. For the proofs to be produced, the circuits need formal verification — ZK circuit bugs live a different existence than standard smart contract bugs: Though rarer, with far more damaging potential. Why? Because a bug in a prover chain undermines the entire mathematical guarantee that is the whole point of going down this approach in the first instance. That means their system needs enough solver competition to deliver fair pricing and avoid being gamed by users. Then, if a solution does require protocol-level changes to existing blockchains, it faces the slowest possible route to implementation — consensus from communities, specification of changes, development, testing and deployment of changes to networks securing hundreds of billions.

What Happens To You When a Bridge Gets Hacked

Practical consequences of users in a bridge exploit can be classified as follows and none are abstract.

The most explicit is complete loss. If a user has assets about to cross the bridge during an exploit then your transaction will be stuck for ever or you may never see it again. If the contract, or maker of the bridge were to be turned off (paused/destroyed), assets locked on that source chain would become inaccessible. The wrapped asset remains on-chain, it just no longer represents anything. Wrapped tokens on destination chain are worth nothing if underlying collateral they were backed by have been taken (e.g. stolen).

The halted bridges contribute to delays that compound into larger losses. That incident, though, would not be unique in 2023; when Multichain was compromised earlier in the year, the bridge remained offline for days before its operators confirmed the scale of breach. There was no timeline and no recourse for users who had real transactions pending. More than data corruption risk, in volatile markets losing the ability to move your funds between chains for days are significant opportunity costs even if that capital is recoverable.

The price of the exploited asset almost instantaneously sees volatility after a bridge exploit. However, stolen assets are usually dumped on decentralized exchanges by the attackers who seek to launder funds. The first hour following a major bridge hack is consistently one of the most turbulent periods in which the tokens affected by it will go through. This means that even users who had not used the bridge at all can take losses on their portfolios as other their holdings elsewhere drop in value on news of an exploit.

The less common yet a pronounced concern is that of privacy exposure. Cross-chain transactions require on-chain data across multiple networks at the same time, and with sufficient analysis of bridge contract logs any researcher can derive a link between a user's addresses on different chains. Chain separation as an informal privacy measure is lost the instant users use any interoperable bridge.

The last thing I can directly say: platforms and protocols have a long history of downplaying security incidents and hiding the details of their architectures until forced to reveal them. Bridge teams sat on known exploits, described big losses as "investigative pauses," and picked up where they left off without really fixing the underlying conditions that made them susceptible to attack. It chose to ignore public hints that its low signature threshold was going on for 83 days before the promised attack kicked in. Despite emptying the bridge of its entire TVL, Ronin's hack went unnoticed for six whole days.

Public pressure is at best the only check on this behavior. It is users, researchers and journalists asking uncomfortable questions about validator set sizes, key management procedures, signature thresholds and upgrade processes that push bridge teams to treat these issues as substantive concerns rather than footnotes. Not every project that garners that attention will immediately cure its ailments. However the ones who know they are being watched will remedy them much more swiftly than those who think that no one is watching. Such incentives do not last forever, but in real money infrastructure, anything that results in an improvement to security is worth taking.

For operators on TRON that want no-guessing transparent pricing — Netts does this for Energy rental, with the price of Energy released by time period dynamically updated according to the current state of the TRON Network. The contrast between low rate TRON Energy during the night (minimum 23 sun is billed from 01:00 to 11:00 UTC), and maximum rates (37 sun are charged from 14:00 to midnight) means that an informed user can significantly cut costs on USDT transfers just by choosing and timing a transaction, or pre-renting energy at the most favourable time — trivial cost optimization based solely upon knowing what to check. If you are looking for cheap Energy without the subscription or too much volume commitment, Netts operates on the No Subscription model, with all fees factored in their displayed consumer price.