What Are Cross-Chain Bridges? How They Work and Why Security Matters

What Are Cross-Chain Bridges?

Cross-chain bridges are protocols that enable the transfer of assets and data between separate blockchain networks. Because blockchains are isolated systems that cannot natively communicate with each other, bridges serve as the connective infrastructure that allows tokens to move from Ethereum to Solana, from Arbitrum to Base, or between any other combination of networks.

The need for bridges arises from the multi-chain reality of crypto in 2026. Liquidity, applications, and users are distributed across dozens of networks, each with its own consensus mechanism, token standards, and transaction formats. A trader who holds ETH on Ethereum but wants to use a DeFi protocol on Arbitrum needs a bridge to move those assets. An institution that tokenizes real-world assets on one chain but wants to access liquidity on another depends on bridge infrastructure to make that possible.

The scale of cross-chain activity is significant. Billions of dollars flow through bridge protocols monthly, and the infrastructure underpins much of the composability that defines the DeFi ecosystem. However, bridges also represent the single most exploited category of infrastructure in crypto. Since 2021, over $4 billion has been lost through bridge hacks alone, making bridges the single most targeted category of DeFi infrastructure. In 2026 alone, eight major bridge attacks have resulted in approximately $328.6 million in losses through mid-May.

How Cross-Chain Bridges Work

While bridge designs vary considerably, most follow a common conceptual pattern: lock assets on the source chain, verify the transaction, and release or mint corresponding assets on the destination chain.

Lock-and-Mint Bridges. The most traditional bridge design locks the original tokens in a smart contract on the source chain and mints wrapped tokens on the destination chain. When a user bridges 1 ETH from Ethereum to another network, the bridge locks the ETH in its contract and issues 1 wrapped ETH (wETH) on the target chain. When the user bridges back, the wrapped token is burned and the original ETH is unlocked. The security of this model depends entirely on the integrity of the smart contract holding the locked assets. If that contract is compromised, all locked funds are at risk.

Burn-and-Mint Bridges. Some bridges use a burn-and-mint model where tokens are destroyed on the source chain and new tokens are natively minted on the destination chain. Circle's Cross-Chain Transfer Protocol (CCTP) uses this approach for USDC. Because no custodial pool of locked assets exists, there is no honeypot for attackers to target. This model is inherently more secure but requires the token issuer to support native minting across multiple chains.

Multi-Oracle Verification. Chainlink's Cross-Chain Interoperability Protocol (CCIP) employs a network of independent oracle nodes to verify cross-chain transactions. Each bridge lane is secured by at least 16 independent, security-reviewed node operators that validate transactions through decentralized consensus. This approach distributes trust across multiple parties rather than relying on a single verification mechanism.

Intent-Based Bridges. Newer bridge designs like Across Protocol use an intent-based model where professional relayers front the assets to users on the destination chain immediately, then settle with the bridge contract later. This approach provides near-instant transfers and operates with minimal custodial risk because relayers use their own capital rather than drawing from locked pools.

A History of Bridge Exploits

The history of cross-chain bridges is marked by a series of catastrophic exploits that have shaped how the industry approaches bridge security.

Ronin Bridge, March 2022: $625 Million. The largest bridge hack in history targeted the Ronin network, which powers the Axie Infinity game. Attackers, later attributed to North Korea's Lazarus Group, compromised the private keys of five out of nine validator nodes through social engineering, allowing them to authorize fraudulent withdrawals of 173,600 ETH and 25.5 million USDC.

Wormhole, February 2022: $326 Million. Attackers exploited a vulnerability in Wormhole's signature verification process, bypassing guardian account validation to mint 120,000 wETH with no backing. Jump Crypto, Wormhole's backer, later recovered approximately $140 million through a counter-exploit operation.

Nomad Bridge, August 2022: $190 Million. A configuration error in Nomad's smart contract allowed anyone to drain funds by replaying a modified transaction. The exploit was notable because once the vulnerability was discovered, hundreds of copycats joined in, turning it into a mass looting event.

Kelp DAO, April 2026: $292 Million. The most recent major bridge exploit drained 116,500 rsETH through a vulnerability in the protocol's LayerZero-powered bridge. The attack triggered contagion across the DeFi ecosystem, with Aave's total value locked dropping $6.6 billion in the immediate aftermath and total DeFi TVL falling over $13 billion in two days. The DeFi United coalition subsequently raised over $300 million to backstop the resulting bad debt, and major protocols moved over $4 billion in assets from LayerZero to Chainlink CCIP in the following weeks.

These exploits share common patterns. Lock-and-mint bridges create concentrated pools of assets that represent high-value targets. Centralized or under-decentralized verification mechanisms create single points of failure. Smart contract vulnerabilities, whether from coding errors or inadequate auditing, provide the attack surface that hackers exploit.

How Bridge Security Is Evolving

The industry's response to the bridge security problem has produced several distinct approaches.

Decentralized Verification. Chainlink CCIP's multi-oracle model distributes verification across independent node operators, reducing the risk that a single compromised validator can authorize fraudulent transactions. The migration of over $4 billion in assets to CCIP following the Kelp DAO exploit reflects institutional demand for this approach. Protocols including Lombard, KelpDAO, Solv, Re, and Kraken cited CCIP's independent node operators, built-in rate limits, and audited infrastructure as primary reasons for switching.

Native Issuance. Circle's CCTP and similar native minting protocols eliminate the locked asset pool entirely. Because tokens are burned on the source chain and natively minted on the destination chain by the token issuer, there is no custodial smart contract to exploit. This model works only for tokens whose issuers support multi-chain native minting, limiting its applicability to stablecoins and certain wrapped assets.

Rate Limiting and Circuit Breakers. Modern bridge designs incorporate rate limits that cap the volume of assets that can be transferred within a given time period. If an attacker compromises the bridge, rate limits restrict the amount that can be drained before the exploit is detected and the bridge is paused. Circuit breakers automatically halt bridge operations if anomalous activity is detected, similar to the trading halts used by traditional stock exchanges.

Formal Verification. Some bridge protocols have begun applying formal verification, a mathematical method for proving that code behaves exactly as intended under all possible conditions. While more time-intensive and expensive than traditional audits, formal verification provides stronger guarantees about smart contract correctness.

Insurance and Recovery Mechanisms. The DeFi community's coordinated response to the Kelp DAO exploit, with DeFi United raising over $300 million to cover protocol bad debt, demonstrated a new model for managing bridge-related losses. Additionally, on-chain insurance protocols offer coverage for bridge failures, though premiums and coverage limits vary significantly.

Evaluating Bridge Risk

For users and institutions moving assets across chains, several factors determine the risk profile of a bridge.

Verification Model. How does the bridge verify transactions? Bridges that rely on a small number of validators or a single multisig wallet present higher centralization risk than those using decentralized oracle networks or zero-knowledge proofs. The number and independence of validators directly affects the difficulty of compromising the bridge.

Custodial Exposure. Does the bridge hold locked assets in a custodial smart contract? Lock-and-mint bridges create a concentrated pool of funds that represents an attractive target. Burn-and-mint or intent-based designs minimize or eliminate this exposure.

Audit History. Has the bridge been audited by reputable security firms, and how recently? Professional audits can prevent an estimated 80% of exploitable vulnerabilities, but the effectiveness of an audit depends on its scope, recency, and the rigor of the auditing firm. Multiple audits from different firms provide stronger assurance than a single review.

Track Record. How long has the bridge operated without a security incident? Bridges with multi-year track records of handling significant volume provide more confidence than newly launched protocols, though past performance does not guarantee future security.

Rate Limits and Safety Mechanisms. Does the bridge implement rate limits, circuit breakers, or other safety mechanisms that restrict damage in the event of an exploit? These features do not prevent attacks but significantly limit their impact.

Liquidity and Spread. Bridge transfers can involve spread and price impact, particularly for larger transactions or less liquid token pairs. Comparing the effective cost across multiple bridge options for the same transfer helps optimize execution.

The Bridge Landscape in 2026

The cross-chain bridge market is consolidating around a smaller number of established protocols as the industry prioritizes security over experimentation. The Kelp DAO exploit accelerated this trend, triggering a flight to quality that benefited protocols with stronger security architectures.

Chainlink CCIP has emerged as the institutional standard for cross-chain transfers, with its multi-oracle verification model and the $4 billion migration wave establishing it as the security-first option. Circle's CCTP dominates stablecoin transfers with its burn-and-mint model. Wormhole, despite its 2022 exploit, has rebuilt its security infrastructure and maintains significant market share, particularly for Solana-related transfers.

Several developments will shape the bridge landscape going forward. Zero-knowledge proof-based bridges are maturing, promising cryptographic verification that eliminates trust assumptions entirely. Ethereum's Layer 2 ecosystem is developing shared bridge infrastructure through initiatives like the OP Stack Superchain, which aims to make transfers between OP Stack chains seamless. And the growing regulatory focus on DeFi infrastructure may eventually introduce compliance requirements for bridge operators.

For users, the practical takeaway is that bridge selection matters. The choice of which bridge to use when moving assets across chains is a security decision with real financial consequences. Prioritizing bridges with decentralized verification, minimal custodial exposure, strong audit histories, and built-in safety mechanisms reduces risk in an infrastructure category that remains the most frequently exploited in all of crypto.