cross-chain bridge

Bridge in crypto is a protocol that moves assets from one blockchain to another. Conceptually simple, mechanically complex, and historically the single most attacked piece of infrastructure in DeFi. The biggest bridge hacks — Ronin ($625M, March 2022), Wormhole ($325M, February 2022), Nomad ($190M, August 2022), Multichain ($600M+, July 2023) — together account for well over $2 billion in lost user funds.

What a bridge actually does

Three architectural patterns:

Lock-and-mint. The user deposits ETH (or another asset) into a smart contract on the source chain. A validator set observes the deposit and mints a corresponding "wrapped" token on the destination chain (wETH, etc.). To bridge back, the user burns the wrapped token; the validator set releases the original ETH from the source contract. This is the dominant pattern.

Liquidity pools on both sides. Each chain has a liquidity pool. The user deposits to the source pool; a relayer immediately disburses equivalent funds from the destination pool. The pools rebalance via separate mechanisms. Stargate (built on LayerZero) uses this pattern. Lower latency, higher capital cost.

Atomic-swap and HTLC. Without a centralized validator set. The two parties to a cross-chain swap use hash-time-locked contracts that atomically execute the swap if both parties cooperate, refund if either does not. Cleanest cryptographically; slowest in UX. Used by Thorchain, ChainFlip, and several Bitcoin-Ethereum bridges.

Why bridges keep getting hacked

The economic geometry is unfavorable. A bridge holds the locked collateral for every wrapped token it has issued. If $500M of wETH is in circulation on Polygon via the Polygon PoS Bridge, the bridge contract holds $500M of real ETH on Ethereum. That's a single contract balance the attacker can target.

The validator-set attack surface is also large. Ronin's hack succeeded because the attacker compromised five of nine validator keys. Wormhole's hack succeeded because of a signature-verification bug in the bridge contract. Nomad's hack succeeded because of a one-line initialization mistake. The combinations of "huge target balance + complex code + decentralized signer set" produces a bug surface that has been catastrophic in practice.

What a US holder should know

Two operational rules:

Never bridge funds you cannot afford to lose. Bridge exposure should be treated as risk equivalent to keeping the same funds on an unregulated CEX. The probability of catastrophic loss in any given month is small, but the historical record is bad enough that this is not a place for long-term position-holding.

Prefer native withdrawals from CEXes over bridge transfers between chains. Want to move USDC from Ethereum to Arbitrum? Send it back to Coinbase, withdraw to Arbitrum directly. Costs more in time, costs less in expected loss.

The "canonical bridge" exception

Layer-2 networks (Arbitrum, Optimism, Base, Polygon zkEVM) maintain their own official bridges as part of the rollup infrastructure. These bridges are technically necessary for the rollup architecture — exit transactions require them — and are typically the most-audited code in the L2's stack. The official Arbitrum Bridge, Optimism Bridge, and Base Bridge have a meaningfully better security record than third-party general-purpose bridges.

If you must bridge between chains, use the official rollup bridges where possible. For L1-to-L1 bridges (Ethereum to Solana, etc.), the risk profile remains high; minimize the dollar value and the holding time.