Short answer
Cross-chain bridges remain the single most attacked piece of DeFi infrastructure. The biggest bridge hacks — Ronin ($625M, 2022), Wormhole ($325M, 2022), Nomad ($190M, 2022), Multichain ($600M+, 2023) — together exceed $2 billion in user losses. For US holders, the safer rule is: use bridges only when there's no centralized alternative, keep bridge exposure short-term (move funds, then move them off the bridge wrapped form), and never use a bridge for long-term holding.
Why bridges fail
The economic geometry is unfavorable. A bridge holds locked collateral for every wrapped token it has issued. If $500M of wETH is in circulation on Polygon via the Polygon PoS Bridge, the bridge contract holds $500M of real ETH on Ethereum. That's a single contract balance that attackers can target.
The validator set or signer threshold is also an attack surface. Ronin's hack succeeded because the attacker compromised 5 of 9 validator keys. Wormhole's hack succeeded because of a signature-verification bug. Each bridge architecture has different failure modes, but the common pattern: large locked value + complex multi-party security model = high-leverage target.
The relative safety hierarchy in 2026
Tier 1 (safest): Canonical L2 bridges. Arbitrum Bridge, Optimism Bridge, Base Bridge. These are part of the rollup architecture; the underlying ETH is escrowed in L1 contracts protected by L1 consensus. They've been audited extensively and have multi-billion TVL with no major exploits.
Tier 2 (moderate): Established cross-chain bridges with track record. Stargate (LayerZero), Across, Hop Protocol. Multi-year track records, audited, $100M-$1B TVL, smaller exploits over time but no catastrophic failures.
Tier 3 (use sparingly): New or less-tested bridges. Anything launched in the past 12 months, anything with TVL under $50M, anything that's been hacked before and re-launched.
Tier 4 (avoid): Sketchy bridges. Any bridge with anonymous team, no audit reports, suspicious yield programs to attract TVL. These appear frequently and exit-scam regularly.
The CEX alternative
For moving value from Ethereum to Arbitrum: send back to Coinbase/Kraken, withdraw to Arbitrum. Costs more time (1-2 days), often costs less in fees, eliminates bridge risk entirely. For US holders, this is usually the better path.
Exception: if the asset isn't supported on US exchanges (newer tokens, smaller cap altcoins), bridges become necessary. In that case, use Tier 1 or 2 bridges and minimize the time funds spend in wrapped form.
The wrapped-token sub-risk
Even when the bridge works correctly, the wrapped token on the destination chain has its own risks. Wrapped Bitcoin (WBTC) depends on BitGo's continued operation. cbBTC depends on Coinbase. Multichain's various wrapped tokens (anyETH, anyUSDC) became worthless when Multichain collapsed.
The safer pattern: bridge → swap to native asset → use the native asset. Don't hold wrapped versions long-term.
Further reading: Bridge, Wrapped token.