Without them, each chain would remain a siloed economy, stifling the growth of DeFi and NFTs. Bridges enable users to, say, deposit ETH on Ethereum and withdraw an equivalent wrapped version (wETH) on Polygon for cheaper transactions. In the sprawling universe of blockchain technology, cross-chain bridges serve as vital conduits, allowing digital assets to flow seamlessly between isolated networks like Ethereum, Solana, and Binance Smart\u00a0Chain.<\/p>\n
Awesome On-Chain Investigations HandBook<\/a><\/p>\n These bridges unlock liquidity, enable DeFi innovations, and power everything from cross-chain swaps to enterprise settlements. But with great connectivity comes great risk: hackers have siphoned off over $2.8 billion from bridges since 2022, making them one of the juiciest targets in crypto. As the multi-chain ecosystem matures\u200a\u2014\u200awith $55 billion in total value locked (TVL<\/strong>) across bridges in 2025\u200a\u2014\u200athese vulnerabilities aren\u2019t just historical footnotes; they\u2019re ongoing threats that could undermine trust in Web3 interoperability. This article breaks down how bridges operate, the sneaky ways they\u2019re exploited, real-world horror stories, and strategies to lock down the\u00a0future.<\/p>\n At their core, cross-chain bridges are decentralized applications (dApps) that act like interstellar portals for tokens and data, bridging blockchains that were never designed to talk to each other. Essentially, a cross-chain bridge is a technology that allows communication between two separate blockchain networks, such as transferring and swapping assets, calling functions in contracts from other blockchains, and more. Bridges, in other words, enable users to transfer assets from one network to another. For example, if you have Bitcoin and want to spend it like Ethereum, you can do so via the\u00a0bridge.<\/p>\n This process relies on trust-minimized mechanisms like Merkle proofs or multi-signature (multisig) approvals to verify transactions without a central authority. The magic happens through smart contracts on both\u00a0chains:<\/strong><\/p>\n Deposit\/Lock: You send assets to a bridge contract on the source chain, where they\u2019re locked or\u00a0burned.<\/em>Cross-Chain Messaging: A protocol relays proof of the deposit (e.g., via oracles or validators) to the destination chain.<\/em>Mint\/Unlock: Equivalent assets are minted or unlocked from a reserve on the target\u00a0chain.<\/em><\/p>\n Lock-and-Mint: Locks originals on the source; mints \u201cIOUs\u201d on the destination (e.g., most popular for wrapped\u00a0tokens).<\/em>Burn-and-Mint: Destroys tokens on source; recreates natives on destination (more gas-efficient but riskier if proofs\u00a0fail).<\/em>Lock-and-Unlock: Locks source assets; draws from a liquidity pool on destination, often incentivized by\u00a0fees.<\/em><\/p>\n There will undoubtedly be more opportunities for users to use bridges as the number of different blockchains grows. However, if you are unfamiliar with the characteristics of each bridge, you may be exposed to unexpected risks, so use them with\u00a0caution.<\/p>\n Bridges aren\u2019t monolithic fortresses; they\u2019re patchwork systems blending on-chain code, off-chain validators, and human oversight. Exploits often target these seams, exploiting logic flaws, human error, or design oversights. Drawing from security analyses, here are seven key vulnerabilities\u200a\u2014\u200aand how attackers weaponize them.<\/p>\n With all of these major hacks occurring so frequently and in such a short period of time, it should be obvious that security is desperately needed. I\u2019ll go over the most common bridge attacks and provide a list of useful resources to help you protect yourself from potential problems!<\/p>\n BSC Bridge: $568M:<\/em><\/strong> On 7th October 2022, an exploit was affecting the native cross-chain bridge called \u201cBSC Token Hub\u201d. The bug was in the proof verifier of the bridge. A total of 2 million BNB was withdrawn and Binance temporarily paused BSC Network to prevent further damages. Funds taken off BSC are estimated between $100M\u200a\u2014\u200a$110M. Further Reads: <\/em>blog.quillhash.com\/2022\/10\/11\/the-million-dollars-bsc-token-hub-bridge-hack-analysis<\/em><\/a>Nomad attacks: $200M:<\/em><\/strong> Back in August, hackers exploited Nomad to steal around $200 million. The main cause of the attack was that Nomad\u2019s smart contract failed to properly validate the input of the transaction. Further Reads: <\/em>sm4rty.medium.com\/nomad-bridges-200-million-exploit-postmortem-9d1cd83db1f7<\/em><\/a>Harmony Bridge: $100M:<\/em><\/strong> On June 2022, The Harmony Horizon bridge was exploited via the theft of two private keys. The attack resulted in a theft of roughly $100 million in various cryptocurrencies, including Wrapped Ethereum (WETH), AAVE, SUSHI, DAI, Tether (USDT), and USD Coin (USDC). The attacker then used Tornado Cash to launder many of the stolen tokens. Further Reads: <\/em>medium.com\/harmony-one\/harmonys-horizon-bridge-hack-1e8d283b6d66<\/em><\/a>Ronin Bridge: $600M:<\/em><\/strong> In March 2022, a huge hack was carried out at Ronin Network, the Ethereum-based sidechain for the well-known cryptocurrency game Axie Infinity. The attackers stole approximately 173,600 ETH and 25.5 million USDC for a total value of approximately $624 million. The attacker allegedly used hacked private keys to fabricate bogus withdrawals from the Ronin bridge contract in two transactions. Further Reads: <\/em>blog.chainalysis.com\/reports\/axie-infinity-ronin-bridge-dprk-hack-seizure<\/em><\/a>Poly Network: $600M<\/em><\/strong> On 10th August 2021, Poly Network suffered from a hack that caused a loss of over 600 million dollars. The hack happened across multiple blockchains including Ethereum, Binance Smart Chain, and Polygon. This is the largest crypto hack yet. Further Reads: <\/em>mudit.blog\/poly-network-largest-crypto-hack<\/em><\/a>Wormhole Bridge Hack: $320M<\/em><\/strong> On February 2nd, 2022, Wormhole Bridge was hacked for 120,000 wETH worth $320M. The hacker exploited the vulnerability in the smart contract and minted new tokens. After the hack, The Wormhole network was taken down to patch the vulnerability. Further Reads: <\/em>rekt.news\/wormhole-rekt<\/em><\/a><\/p>\n In 2023, custodian and communicator attacks dominated, with losses exceeding $1 billion.More recent strikes, like Multichain (July 2023, CEO-linked keys) and Orbit Chain (January 2024, 7\/10 keys compromised), show the pattern persists: human elements often trump\u00a0code.<\/strong><\/p>\n Bridge Bugs\u00a0Overview<\/em><\/a>Bridges\u200a\u2014\u200aWhy, Where, and\u00a0Who?<\/em><\/a>Bridge Security in Blockchain | QuillAudits<\/em><\/a>A Visual Guide to Blockchain Bridge\u00a0Security<\/em><\/a>6 security sins of Web3\u00a0bridges<\/em><\/a><\/p>\n Reference: Daniel\u00a0Morales<\/strong><\/p>\n Often, a cross-chain bridge will monitor for deposit events on one blockchain to initiate a transfer to the other. If an attacker can generate a deposit event without making a real deposit or by depositing with a valueless token, then they can withdraw value from the bridge at the other\u00a0end.<\/p>\n Cross-chain bridges perform validation of a deposit or withdrawal before actually performing any transfers. There have been many instances in the past where lack of proper validation of signature leads to millions of dollars hacks. Recently BSC chain was attacked because of a similar bug and a total of 576 Million was withdrawn by\u00a0hackers.<\/p>\n It is important to have access control validations on critical functions that execute actions like modifying the owner, transfer of funds and tokens, pausing and unpausing the contracts, etc.<\/p>\n Some cross-chain bridges have a set of validators that vote whether or not to approve a particular transfer. If the attacker controls most of these validators, they can approve fake and malicious transfers. This is what happened to these validators in the Ronin Network hack, where the attacker took over 5 of the bridge\u2019s 9 validators.<\/p>\n If the admin key of the smart contract is leaked, all the funds and operation of the smart contract will be at great risk. Recently, the Harmony bridge was exploited via the theft of two private keys. The attack resulted in a theft of roughly $100 million in various cryptocurrencies.<\/p>\n Audit Everything, Twice: Mandate multiple independent audits, fuzz testing, and formal verification for contracts. Bug bounties (e.g., via Immunefi) incentivize whitehats.<\/em>Decentralize and Diversify: Use multi-network validators, slashable staking, and no single points of failure. Proven teams with track records beat untested\u00a0setups.<\/em>Key Hygiene: Hardware security modules (HSMs), multi-sig with timelocks, and role-separated access\u200a\u2014\u200aditch hot\u00a0wallets.<\/em>Monitor and Limit: Deploy AI-driven anomaly detection, circuit breakers, and rate limits (e.g., $10M\/hour per asset). Separate monitoring entities add oversight.<\/em>Edge Case Scrutiny: Test upgrades rigorously, especially defaults and off-chain components. Limit execution paths to shrink attack surfaces.<\/em><\/p>\n Cross-chain bridges embody crypto\u2019s promise of boundless connectivity, but their hacks reveal a harsh truth: innovation outpaces security at our peril. From Ronin\u2019s validator fiasco to Wormhole\u2019s code slip, these breaches have cost billions and eroded confidence. Yet, as 2025 unfolds, emerging standards\u200a\u2014\u200adeeper audits, decentralized guardians, and proactive limits\u200a\u2014\u200asignal a turning point. For builders and users alike, the lesson is clear: treat bridges not as given infrastructure, but as battlegrounds demanding vigilance. In a truly interoperable future, the strongest chains won\u2019t be the richest\u200a\u2014\u200athey\u2019ll be the smartest.<\/p>\n If we finally want to give people the opportunity to be their own bank, we must realize that in this case, people must be able to replace all those services and actions for which traditional banks get\u00a0money!<\/p>\n If you want to support my work, please consider <\/strong>donating<\/strong><\/a>\u00a0me:<\/strong><\/p>\n 0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A<\/strong><\/a> <\/strong>or officercia.eth<\/a>\u200a\u2014\u200aETH, BSC, Polygon, Optimism, Zk, Fantom,\u00a0etc17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU<\/strong><\/a> <\/strong>–\u00a0BTC4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds\u200a\u2014\u200aMonero\u00a0XMR<\/strong><\/p>\n How Cross-Chain Bridges are Hacked?<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" Without them, each chain would remain a siloed economy, stifling the growth of DeFi and NFTs. Bridges enable users to, say, deposit ETH on Ethereum and withdraw an equivalent wrapped version (wETH) on Polygon for cheaper transactions. In the sprawling universe of blockchain technology, cross-chain bridges serve as vital conduits, allowing digital assets to flow […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-98915","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/98915"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=98915"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/98915\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=98915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=98915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=98915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Types of\u00a0Bridges<\/h3>\n
Top Bridge\u00a0Hacks<\/h3>\n
But How Bridges are\u00a0Hacked?<\/h3>\n
Fake Events<\/h4>\n
Message Verification Bug<\/h4>\n
Lack of Cross-Contract Access Control in Blockchain Bridges<\/h4>\n
Validator Takeover<\/h4>\n
Admin Private Key\u00a0Leak<\/h4>\n
Security Measures<\/h3>\n
Conclusion<\/h3>\n
Stay safe!<\/h4>\n