In today’s multi-chain universe, blockchains are like bustling cities—each with its own rules, systems, and economies. But how do we travel between them? How do assets safely go from one chain to another?
Comes BRIDGES.
Think of blockchain bridges as digital tunnels that connect isolated blockchain ecosystems. They let users move tokens, pass messages, or sync up state across chains. Without bridges, blockchains would be self-contained silos. Useful, sure—but not exactly a connected universe.
Building a bridge doesn't sound that hard, right?
It's it just something like this (see animation below)?
Sure enough, early bridge designs began with that exact straightforward premise: designate a trusted entity to handle the cross-chain communication. These trusted bridges come in several flavours:
Single relayer: A central party locks assets on one chain and issues them on another. Fast, but completely reliant on that party's honesty.
Known Hack: Binance Bridge (relying on Binance as the trusted central party) operated this way and was exploited in October 2022 when attackers manipulated Merkle proofs to fabricate a deposit, leading to a loss of nearly $600 million. The vulnerability stemmed from a flaw in the proof verification method of the BSC Token Hub's use of the iavl library. The attacker registered as a relayer with a deposit of 100 BNB, then used the flaw to mint 2 million BNB tokens. Binance halted the chain and froze around $7 million, but estimated losses between $100–$110 million after tracking. After that Binance (and also Cosmos - since Binance forked from Cosmos' cross chain framework) fixed the bug by not accepting transactions with an IAVL tree containing both left and right leaves (Immunefi, 2023).
Validator sets: Instead of relying on just one central party, the natural upgrade towards a more fault-tolerant infrastructure is to introduce a group of known actors (validators) to collectively monitor and approve transactions. Now that does sound safer than a single relayer, but still not good enough.
Known Hack: The Ronin Bridge used by the Axie Infinity ecosystem relied on 9 validators. In 2022, attackers gained access to 5 of them, just enough to approve fraudulent withdrawals, resulting in a $611 million heist—one of the largest in crypto history.
Optimistic bridges: If we assume everyone is honest unless proven otherwise, we can use an optimistic approach where observers can challenge fraud and penalize dishonest actors. As long as one actor is honest, the system can work. Often times, the rollback (when bad actor is caught) is very complex.
Known Hack: While generally more robust, optimistic designs are still vulnerable. The Nomad Bridge, which allowed verification bypasses due to a faulty configuration, lost $190 million in 2022. Attackers essentially copy-pasted transaction payloads and were rewarded due to misconfigured message hashes.
As a natural evolution beyond trusted relayers and validators, trustless bridges eliminate the need to trust specific actors. Instead, they rely on permissionless participation and cryptographic proof to ensure integrity.
Liquidity-based bridges: These work more like decentralized exchanges. Instead of moving tokens across chains, users swap into a liquidity pool on Chain A and get equivalent tokens from a pool on Chain B.
Fast and trustless—if liquidity is deep enough. Projects like Hop Protocol, Connext, and Celer use this model. But if one side runs dry, swaps can fail or become expensive. And unlike the relayer-based models, these rely more on game-theoretic incentives and smart contract execution than external validators.
Known Hack: Allbridge suffered a loss of about $570,000 due to a price manipulation exploit. An attacker manipulated the price of assets in the liquidity pool, allowing them to withdraw more funds than they had deposited. The exploit was facilitated by the attacker's dual role as both a liquidity provider and a trader.
Light client and relay bridges: These bridges use light clients—tiny versions of full blockchain nodes—that verify block headers using cryptographic proofs (such as zero-knowledge proofs like zk-SNARKs). Relayers submit these headers across chains, allowing contracts on the destination chain to independently verify events.
A lot more secure and decentralized—but resource-intensive. These designs offer strong trust guarantees because no single actor can fake a block. Near’s Rainbow Bridge and Cosmos IBC are prominent examples. The catch? Running light clients and relayers on multiple chains takes effort, and verification can be slower compared to simpler bridges.
Known Attack: In 2022, a hacker tried to exploit the NEAR Rainbow Bridge by submitting a fake block (with 5ETH as a deposit). Rainbow's validators caught the fabricated block within 31 seconds. The attacker ended up losing a 5 ETH bond.
Types | External Validators & Federations | Liquidity-Based Bridges | Light Clients & Relays |
Mechanism | Validators monitor a deposit address; mint IOUs | Token swap via liquidity pools on both chains | Cryptographic proofs sent to light clients via relayers |
Trust Model | Trusted (relies on external validators) | Trust-minimized (governed by smart contracts) | Trust-minimized (on-chain verification using proofs) |
Token Type Received | IOU derivatives | Native tokens | Native tokens |
Examples | Wormhole, Multichain, Poly Network, Synapse | Celer, Connext, Hop Protocol | NEAR Rainbow Bridge, Cosmos IBC, Stargate |
Security Risks | Centralized trust => vulnerable to validator exploits | Pool imbalance or smart contract bugs | Technically complex; vulnerable if relay/oracle fails |
Performance | Fast and simple | Moderate (depends on liquidity) | Slower, resource-intensive |
Implementation Complexity | Simple to implement | Moderate (needs liquidity provisioning) | High complexity (needs client, relayer, oracle setup) |
Scalability | Scalable, but less secure | Scalable if liquidity is maintained | Limited by computational cost and integration effort |
Decentralization | Low | High | High |
Best Use Case | Quick, easy-to-build bridges where trust is acceptable | Cross-chain Dapps requiring native token transfers | High-security use cases where performance is less critical |
Here are some notable hacks over the last few years:
Date | Bridge Name | Amount Stolen | Cause | Notes |
Aug 2021 | Poly Network | $610M | Smart contract vulnerability | Funds returned by hacker. |
Jan 2022 | Qubit | ~$80M | Smart contract logic flaw | Incorrect deposit validation enabled unauthorized withdrawals. |
Feb 2022 | Meter.io | ~$4.4M | Smart contract design flaw | Mishandling of wrapped tokens allowed unauthorized withdrawals. |
Feb 2022 | Wormhole | $326M | Smart contract bug | Failed signature verification led to unauthorized minting. |
Mar 2022 | Ronin | $625M | Compromised private keys | 5/9 validator keys stolen; linked to Lazarus Group. |
Jun 2022 | Harmony Horizon | $100M | Compromised private keys | 2/5 multisig keys stolen. |
Aug 2022 | Nomad | $190M | Smart contract misconfiguration | Default root allowed anyone to withdraw. |
Oct 2022 | BNB Chain (Binance) | ~$570M | Smart contract proof flaw | IAVL Merkle verification vulnerability. |
Apr 2023 | Allbridge | $570K | Price manipulation (flash loan) | Returned funds, partial whitehat. |
Jul 2023 | Multichain | $126M | Compromised private keys | CEO’s custody of keys led to exploit. |
Jan 2024 | Orbit Chain | Unknown | Compromised private keys | 7/10 multisig keys compromised. |
Jan 2024 | Socket Protocol | ~$3.3M | Smart contract design flaw | Affected users with infinite approval. |
May 2024 | ALEX Bridge | $4.3M | Possible private key compromise | Suspicious withdrawals post-upgrade. |
Feb 2025 | Play Bridge | $8.65M WEMIX (~$20M est.) | External exploit | Abnormal withdrawals observed. |
And then there's the most tantalizing question:
What if we didn't need bridges at all?
Just last week (May 4th 2025), 1 BTC was sent from Bitcoin to Cardano and back to Bitcoin without any a bridge.... Yes, it was a BRIDGELESS cross-chain transfer! We will cover bridgeless details in some future post...
Immunefi. (2023, March 17). Hack analysis: Binance Bridge, October 2022 - ImmuneFi - Medium. Medium. https://medium.com/immunefi/hack-analysis-binance-bridge-october-2022-2876d39247c1
Belenkov, N., Callens, V., Murashkin, A., Bąk, K., Derka, M., Gorzny, J., & Lee, S.-S. (2025). SoK: A Review of Cross-Chain Bridge Hacks in 2023. https://doi.org/10.48550/arxiv.2501.03423
Augusto, A., Belchior, R., Pfannschmidt, J., Vasconcelos, A., & Correia, M. V. (2024). XChainWatcher: Monitoring and Identifying Attacks in Cross-Chain Bridges. arXiv.Org, abs/2410.02029. https://doi.org/10.48550/arxiv.2410.02029
Li, N., Qi, M., Xu, Z., Zhu, X., Zhou, W., Wen, S., & Xiang, Y. (2024). Blockchain Cross-Chain Bridge Security: Challenges, Solutions, and Future Outlook. Deleted Journal. https://doi.org/10.1145/3696429
Amela, R., Mishra, S., Lerner, S. D., & Cid-Fuentes, J. (2025). Union: A Trust-minimized Bridge for Rootstock. https://doi.org/10.48550/arxiv.2501.07435
Cao, Y., Cao, J., Bai, D., Wen, L., Liu, Y., & Li, R. (2024). MAP the Blockchain World: A Trustless and Scalable Blockchain Interoperability Protocol for Cross-chain Applications. https://doi.org/10.48550/arxiv.2411.00422
CoinGecko. (2023, November 16). How do Crypto Bridges ACTUALLY Work? 3 Main Types Explained [Video]. YouTube. https://www.youtube.com/watch?v=7rNq9i30KjE
SlowMist hacked - SlowMist Zone. (n.d.-b). https://hacked.slowmist.io/?c=Bridge
Malwa, S. (2023, May 11). Hackers lose 5 ether while trying to attack near Protocol’s Rainbow Bridge. CoinDesk. https://www.coindesk.com/tech/2022/08/23/hackers-lose-5-ether-while-trying-to-attack-near-protocols-rainbow-bridge
ScalingX. (2023, August 1). ZK Bridges: Empowering the Cross-Chain World with Zero Knowledge Proofs. Medium. https://medium.com/@scalingx/zk-bridges-empowering-the-cross-chain-world-with-zero-knowledge-proofs-9e53eec91443
Dioquino, V. (2025, May 5). BitcoinOS demo sends BTC to Cardano and Back—Without a Cross-Chain bridge. Decrypt. https://decrypt.co/317840/bitcoinos-demo-sends-btc-to-cardano-and-back-without-a-cross-chain-bridge
Chainlink. (n.d.). Seven key Cross-Chain Bridge vulnerabilities explained. https://chain.link/education-hub/cross-chain-bridge-vulnerabilities
