Crypto Bridges Explained: How Cross-Chain Transfers Work and Key Risks
Learn what crypto bridges are, how they move assets between blockchains, why they are prime targets for hackers, the biggest bridge exploits in history, and how to protect yourself when using them.
$2 Billion Stolen From a Single Type of Target
In 2022 alone, cross-chain bridges accounted for approximately $2 billion in stolen funds — more than any other category of crypto exploit. The Ronin Bridge lost $625 million. The Wormhole Bridge lost $320 million. The Nomad Bridge lost $190 million. And these are just the largest incidents.
Bridges are one of the most used yet least understood pieces of crypto infrastructure. Every time you move an asset from one blockchain to another — say, from Ethereum to Solana or from Ethereum to Arbitrum — you are likely using a bridge. And every time you do, you are trusting a system that hackers have repeatedly proven they can break.
This guide explains what bridges are, how they work, why they keep getting hacked, and what you can do to minimize your risk when using them.
Key Risks
Bridge reality check:
- Bridges have been the #1 target for hackers — billions of dollars stolen in bridge exploits
- When you "bridge" an asset, you often receive a wrapped token — not the original asset
- If a bridge is hacked, your wrapped tokens can become worthless instantly
- Many bridges rely on small groups of validators, creating centralization risks
- Transactions on bridges are generally irreversible — there is no undo button
What Is a Crypto Bridge?
A crypto bridge (also called a cross-chain bridge or blockchain bridge) is a protocol that allows you to transfer assets or data from one blockchain to another. Blockchains are, by design, isolated systems — Ethereum doesn't natively know what's happening on Solana, and Bitcoin has no awareness of Arbitrum. Bridges attempt to connect these separate worlds.
Think of blockchains as islands, each with its own currency. A bridge is the ferry service between islands. But unlike a real ferry that physically carries you and your belongings, crypto bridges use more complex and riskier mechanisms to create the illusion that your assets have moved.
Why Bridges Exist
The problem: Crypto has hundreds of blockchains, and they don't talk to each other.
- You hold ETH on Ethereum but want to use a DeFi protocol on Arbitrum
- You have USDC on Ethereum but want to trade on Solana
- You want to take advantage of lower fees on a Layer 2 network
- An NFT project you want to participate in is on a different chain
Without bridges: You would need to sell your asset on one chain, transfer fiat to an exchange that supports the other chain, buy the asset again. Slow, expensive, and cumbersome.
With bridges: You can (theoretically) move assets between chains directly. Faster and more convenient — but with significant trade-offs in security.
How Bridges Work
The Core Mechanism: Lock and Mint
The most common bridge mechanism works like this:
Step 1: Lock You send your tokens to a smart contract on the source blockchain. Your tokens are locked (held) in this contract.
Step 2: Verify The bridge verifies that you actually deposited the tokens. This verification happens through various methods (more on this below).
Step 3: Mint Once verified, the bridge mints an equivalent amount of "wrapped" tokens on the destination blockchain.
Step 4: Use You now have wrapped tokens on the new blockchain that you can use, trade, or interact with.
To go back:
- You send wrapped tokens to the bridge on the destination chain
- Wrapped tokens are burned (destroyed)
- Original tokens are unlocked on the source chain
- You receive your original tokens back
What Are Wrapped Tokens?
When you bridge ETH from Ethereum to another chain, you don't actually move ETH. Instead, your ETH is locked on Ethereum, and you receive a "wrapped" version (like WETH) on the other chain.
Critical understanding: Wrapped tokens are IOUs. They represent a claim on the original tokens locked in the bridge contract. They are only as valuable as the bridge is secure.
If the bridge is hacked and the locked tokens are stolen, your wrapped tokens become worthless — they are claims on an empty vault.
Types of Bridges
1. Trusted (Centralized) Bridges
How they work: A centralized entity or small group of validators confirms transactions between chains.
Examples: Many exchange-operated bridges
Advantages:
- Faster transactions
- Simpler to use
- Usually cheaper
Risks:
- Single point of failure
- Must trust the operator
- Operator can censor or freeze transactions
- Operator can be hacked or compromised
2. Trustless (Decentralized) Bridges
How they work: Use smart contracts and decentralized validation to verify cross-chain transactions without relying on a single entity.
Examples: Various DeFi bridge protocols
Advantages:
- No single point of control
- Transparent and auditable
- Resistant to censorship
Risks:
- Smart contract vulnerabilities
- More complex (more attack surface)
- Often slower
- Higher fees
- Still rely on validators or relayers that may not be truly decentralized
3. Light Client Bridges
How they work: Run a simplified version of one blockchain's consensus on another, verifying transactions cryptographically.
Advantages:
- Strongest security guarantees
- Don't rely on external validators
- Truly trustless verification
Risks:
- Expensive to operate (high gas costs)
- Complex to build
- Limited availability
- Implementation bugs still possible
4. Liquidity Network Bridges
How they work: Instead of lock-and-mint, use liquidity pools on both chains. Routers facilitate swaps between pools.
Advantages:
- Users receive native tokens (not wrapped)
- No minting/burning required
- Faster for users
Risks:
- Liquidity can dry up
- Router/relayer trust assumptions
- May have slippage on large transfers
- Pool imbalances
Why Bridges Keep Getting Hacked
Bridges are crypto's biggest security weak point. Here's why:
1. Massive Honeypots
Bridge contracts hold enormous amounts of locked tokens — sometimes billions of dollars. This makes them the single most attractive target for hackers. A successful bridge hack can yield more than hundreds of smaller exploits combined.
2. Complex Attack Surface
Bridges must interact with two or more blockchains simultaneously. This means:
- Multiple smart contracts (one on each chain) that must stay in sync
- Cross-chain messaging systems that can be manipulated
- Validator sets that can be compromised
- Signature verification that can contain subtle bugs
Every additional component is another potential entry point for attackers.
3. Validator Compromise
Many bridges use a small set of validators to confirm cross-chain transactions. If an attacker compromises enough validators (or their private keys), they can fabricate transactions and drain the bridge.
Ronin Bridge hack (March 2022): The bridge used 9 validators, requiring 5 signatures to approve transactions. Hackers compromised 5 of the 9 validator keys and drained $625 million. The hack went undetected for six days.
4. Smart Contract Bugs
Bridge smart contracts are among the most complex in crypto, and complexity breeds vulnerabilities.
Wormhole Bridge hack (February 2022): A bug in the signature verification allowed the attacker to forge valid signatures and mint 120,000 wrapped ETH ($320 million) without depositing anything.
Nomad Bridge hack (August 2022): A routine upgrade introduced a bug that allowed anyone to drain funds. Once the first attacker demonstrated the exploit, hundreds of copycats joined in, draining $190 million in a "crowd-sourced hack."
5. Upgrade and Admin Risks
Many bridges have admin keys or upgrade mechanisms that, if compromised, grant total control over the bridge's funds.
Major Bridge Hacks
| Bridge | Date | Amount Lost | Cause | |--------|------|-------------|-------| | Ronin (Axie Infinity) | March 2022 | $625 million | Validator key compromise | | Wormhole | February 2022 | $320 million | Signature verification bug | | Nomad | August 2022 | $190 million | Smart contract upgrade bug | | Harmony Horizon | June 2022 | $100 million | Validator key compromise | | BNB Bridge | October 2022 | $586 million | Proof verification bug |
Pattern: Every major bridge architecture has been exploited. There is no bridge design that has proven immune to attack.
Bridges Are Crypto's Weakest Link
Vitalik Buterin (Ethereum's co-founder) has publicly stated that he is pessimistic about cross-chain bridge security. The fundamental problem is that bridges must secure assets across multiple security domains, and the security of the system is only as strong as the weakest link in the chain.
Bridge Risks for Users
1. Total Loss of Bridged Assets
The risk: If a bridge is hacked, your wrapped tokens can become worthless.
Why: Wrapped tokens are backed by locked tokens. If locked tokens are stolen, there's nothing backing your wrapped tokens. You might still "have" your wrapped tokens, but they're claims on an empty vault.
Impact: Unlike a gradual price decline where you can sell, a bridge hack can make your assets worthless within minutes.
2. Smart Contract Approval Risks
The risk: Bridging typically requires approving the bridge contract to spend your tokens.
Why it matters:
- If you approve unlimited spending (common), the bridge contract can move all your tokens
- A compromised bridge could drain more than just what you're bridging
- Leftover approvals remain active even after you're done bridging
Mitigation: Only approve the exact amount you're bridging. Revoke approvals afterward.
3. Stuck Transactions
The risk: Your assets can get stuck in transit.
Causes:
- Network congestion on either chain
- Bridge downtime or maintenance
- Validator issues
- Smart contract errors
Impact: Your tokens are locked on the source chain, and you haven't received tokens on the destination chain. Resolution may take hours, days, or require support intervention.
4. Wrong Network Errors
The risk: Sending tokens to the wrong address or network.
Why it happens:
- Confusing interfaces
- Multiple networks with similar addresses
- Copy-paste errors
Impact: Tokens may be permanently lost. There is no customer support that can reverse blockchain transactions.
5. Fee Surprises
The risk: Bridge fees can be higher than expected.
Components:
- Bridge protocol fees
- Gas fees on source chain
- Gas fees on destination chain
- Slippage on liquidity bridges
- Exchange rate differences
Particularly painful on small amounts: Bridging $50 might cost $20-30 in total fees during high gas periods.
How to Minimize Bridge Risks
Before Bridging
1. Question whether you need to bridge at all:
- Can you buy the asset directly on the destination chain?
- Can you use a centralized exchange to transfer between chains?
- Is the activity on the other chain worth the bridge risk?
2. Research the bridge:
- How long has it been operating?
- Has it been audited? By whom?
- Has it been exploited before?
- How many validators secure it?
- How much total value is locked?
- Is the code open-source?
3. Check bridge status:
- Is the bridge currently operational?
- Are there any reported issues?
- What's the current processing time?
While Bridging
4. Start with a small test transaction:
- Bridge a tiny amount first to confirm it works
- Verify you receive tokens on the destination chain
- Then bridge the larger amount
5. Approve only the exact amount:
- Don't grant unlimited token approvals
- This limits damage if the bridge is compromised
6. Double-check everything:
- Source and destination networks
- Token addresses
- Receiving wallet address
- Expected fees
7. Save transaction hashes:
- Record the transaction ID on the source chain
- You'll need it if something goes wrong
After Bridging
8. Verify receipt:
- Confirm tokens arrived on the destination chain
- Check the correct amount was received
9. Revoke approvals:
- Remove the bridge's permission to spend your tokens
- Use tools like Revoke.cash to manage approvals
10. Minimize time holding wrapped tokens:
- The longer you hold bridged assets, the longer you're exposed to bridge risk
- If the bridge is hacked while you hold wrapped tokens, those tokens lose their backing
Bridge Safety Checklist
Before using a bridge:
- [ ] Do I actually need to bridge, or is there a simpler alternative?
- [ ] Has this bridge been audited by reputable security firms?
- [ ] Has this bridge been exploited before? If so, was the vulnerability fully fixed?
- [ ] How is the bridge secured? (validators, smart contracts, light clients)
- [ ] Am I bridging only what I can afford to lose?
- [ ] Have I done a small test transaction first?
- [ ] Am I approving only the exact amount needed?
- [ ] Do I have the transaction hash saved?
- [ ] Will I revoke approvals after bridging?
- [ ] Do I understand that wrapped tokens are only as safe as the bridge?
If you can't confidently answer these questions, reconsider whether bridging is worth the risk.
How the Ronin Bridge Hack Actually Happened (A Step-by-Step Breakdown)
I've read every available post-mortem and investigation report on the Ronin Bridge hack, and what strikes me most is how low-tech the actual attack was. This wasn't a genius mathematical exploit or a novel cryptographic attack. It was, at its core, a failure of basic security hygiene applied to a system holding over half a billion dollars.
The Ronin Bridge used nine validators, requiring five signatures to approve any transaction. Sky Mavis (the company behind Axie Infinity) controlled four of those nine validators directly. In November 2021, they had temporarily been given control of a fifth validator belonging to the Axie DAO to help process a surge in transactions. That temporary access was never revoked.
In March 2022, attackers — later attributed to North Korea's Lazarus Group — compromised Sky Mavis's internal systems through a targeted spear-phishing attack. With access to the company's infrastructure, they obtained the private keys for the four Sky Mavis validators plus the Axie DAO validator key that should have been revoked months earlier. Five of nine keys. They drained 173,600 ETH and 25.5 million USDC — approximately $625 million. The hack went undetected for six days, only discovered when a user tried to withdraw and couldn't.
Every element of this failure was preventable: the concentrated validator control, the un-revoked temporary access, the insufficient monitoring. And yet it happened to one of the most prominent projects in crypto. If a team with significant resources and VC backing can make these mistakes, consider what the security posture might be at smaller, less-funded bridge projects.
Final Thought
Every time you use a bridge, you are placing trust in complex, frequently targeted infrastructure that connects two independent security domains. The convenience of moving assets between chains comes at a real cost — billions of dollars stolen from bridges in recent years prove this is not theoretical risk. Before bridging, always ask: can I simply buy this asset directly on the destination chain? If the answer is yes, that is almost always the safer choice.
Further Reading
- What Are Smart Contracts? How They Work and Why They Matter
- Safe Transaction Habits: Test Sends, Address Checks, and Allowances
- DeFi Explained: What It Is and the Risks
- Scams 101: The Most Common Crypto Scams and How to Avoid Them
Frequently Asked Questions
Sources & References
All claims in this article are supported by the following sources. We encourage readers to verify information independently.
- Digital Asset and Crypto Investment Scams — Investor Alert — U.S. Securities and Exchange Commission
- Cross-Chain Bridge Hacks — Rekt News
- Why the Future Will Be Multi-Chain But Not Cross-Chain — Vitalik Buterin
FinTech Researcher & Crypto Educator — B.S. Financial Engineering, CFA Level II Candidate, 8+ years in blockchain research
Specializing in crypto security analysis, regulatory compliance, and risk-first education. All content backed by primary sources from SEC, IRS, NIST, and peer-reviewed research.