How Cross-Chain Bridges are Hacked?

23-Sep-2025

Without them, each chain would remain a siloed economy, stifling the growth of DeFi and NFTs. Bridges enable users to, say, deposit ETH on Ethereum and withdraw an equivalent wrapped version (wETH) on Polygon for cheaper transactions. In the sprawling universe of blockchain technology, cross-chain bridges serve as vital conduits, allowing digital assets to flow seamlessly between isolated networks like Ethereum, Solana, and Binance Smart Chain.

Awesome On-Chain Investigations HandBook

These bridges unlock liquidity, enable DeFi innovations, and power everything from cross-chain swaps to enterprise settlements. But with great connectivity comes great risk: hackers have siphoned off over $2.8 billion from bridges since 2022, making them one of the juiciest targets in crypto. As the multi-chain ecosystem matures — with $55 billion in total value locked (TVL) across bridges in 2025 — these vulnerabilities aren’t just historical footnotes; they’re ongoing threats that could undermine trust in Web3 interoperability. This article breaks down how bridges operate, the sneaky ways they’re exploited, real-world horror stories, and strategies to lock down the future.

At their core, cross-chain bridges are decentralized applications (dApps) that act like interstellar portals for tokens and data, bridging blockchains that were never designed to talk to each other. Essentially, a cross-chain bridge is a technology that allows communication between two separate blockchain networks, such as transferring and swapping assets, calling functions in contracts from other blockchains, and more. Bridges, in other words, enable users to transfer assets from one network to another. For example, if you have Bitcoin and want to spend it like Ethereum, you can do so via the bridge.

This process relies on trust-minimized mechanisms like Merkle proofs or multi-signature (multisig) approvals to verify transactions without a central authority. The magic happens through smart contracts on both chains:

  • Deposit/Lock: You send assets to a bridge contract on the source chain, where they’re locked or burned.
  • Cross-Chain Messaging: A protocol relays proof of the deposit (e.g., via oracles or validators) to the destination chain.
  • Mint/Unlock: Equivalent assets are minted or unlocked from a reserve on the target chain.

Types of Bridges

  • Lock-and-Mint: Locks originals on the source; mints “IOUs” on the destination (e.g., most popular for wrapped tokens).
  • Burn-and-Mint: Destroys tokens on source; recreates natives on destination (more gas-efficient but riskier if proofs fail).
  • Lock-and-Unlock: Locks source assets; draws from a liquidity pool on destination, often incentivized by fees.

There will undoubtedly be more opportunities for users to use bridges as the number of different blockchains grows. However, if you are unfamiliar with the characteristics of each bridge, you may be exposed to unexpected risks, so use them with caution.

Bridges aren’t monolithic fortresses; they’re patchwork systems blending on-chain code, off-chain validators, and human oversight. Exploits often target these seams, exploiting logic flaws, human error, or design oversights. Drawing from security analyses, here are seven key vulnerabilities — and how attackers weaponize them.

With all of these major hacks occurring so frequently and in such a short period of time, it should be obvious that security is desperately needed. I’ll go over the most common bridge attacks and provide a list of useful resources to help you protect yourself from potential problems!

Top Bridge Hacks

  1. BSC Bridge: $568M: On 7th October 2022, an exploit was affecting the native cross-chain bridge called “BSC Token Hub”. The bug was in the proof verifier of the bridge. A total of 2 million BNB was withdrawn and Binance temporarily paused BSC Network to prevent further damages. Funds taken off BSC are estimated between $100M — $110M. Further Reads: blog.quillhash.com/2022/10/11/the-million-dollars-bsc-token-hub-bridge-hack-analysis
  2. Nomad attacks: $200M: Back in August, hackers exploited Nomad to steal around $200 million. The main cause of the attack was that Nomad’s smart contract failed to properly validate the input of the transaction. Further Reads: sm4rty.medium.com/nomad-bridges-200-million-exploit-postmortem-9d1cd83db1f7
  3. Harmony Bridge: $100M: On June 2022, The Harmony Horizon bridge was exploited via the theft of two private keys. The attack resulted in a theft of roughly $100 million in various cryptocurrencies, including Wrapped Ethereum (WETH), AAVE, SUSHI, DAI, Tether (USDT), and USD Coin (USDC). The attacker then used Tornado Cash to launder many of the stolen tokens. Further Reads: medium.com/harmony-one/harmonys-horizon-bridge-hack-1e8d283b6d66
  4. Ronin Bridge: $600M: In March 2022, a huge hack was carried out at Ronin Network, the Ethereum-based sidechain for the well-known cryptocurrency game Axie Infinity. The attackers stole approximately 173,600 ETH and 25.5 million USDC for a total value of approximately $624 million. The attacker allegedly used hacked private keys to fabricate bogus withdrawals from the Ronin bridge contract in two transactions. Further Reads: blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure
  5. Poly Network: $600M On 10th August 2021, Poly Network suffered from a hack that caused a loss of over 600 million dollars. The hack happened across multiple blockchains including Ethereum, Binance Smart Chain, and Polygon. This is the largest crypto hack yet. Further Reads: mudit.blog/poly-network-largest-crypto-hack
  6. Wormhole Bridge Hack: $320M On February 2nd, 2022, Wormhole Bridge was hacked for 120,000 wETH worth $320M. The hacker exploited the vulnerability in the smart contract and minted new tokens. After the hack, The Wormhole network was taken down to patch the vulnerability. Further Reads: rekt.news/wormhole-rekt

In 2023, custodian and communicator attacks dominated, with losses exceeding $1 billion.More recent strikes, like Multichain (July 2023, CEO-linked keys) and Orbit Chain (January 2024, 7/10 keys compromised), show the pattern persists: human elements often trump code.

But How Bridges are Hacked?

  • Reference: Daniel Morales

Fake Events

Often, a cross-chain bridge will monitor for deposit events on one blockchain to initiate a transfer to the other. If an attacker can generate a deposit event without making a real deposit or by depositing with a valueless token, then they can withdraw value from the bridge at the other end.

Message Verification Bug

Cross-chain bridges perform validation of a deposit or withdrawal before actually performing any transfers. There have been many instances in the past where lack of proper validation of signature leads to millions of dollars hacks. Recently BSC chain was attacked because of a similar bug and a total of 576 Million was withdrawn by hackers.

Lack of Cross-Contract Access Control in Blockchain Bridges

It is important to have access control validations on critical functions that execute actions like modifying the owner, transfer of funds and tokens, pausing and unpausing the contracts, etc.

Validator Takeover

Some cross-chain bridges have a set of validators that vote whether or not to approve a particular transfer. If the attacker controls most of these validators, they can approve fake and malicious transfers. This is what happened to these validators in the Ronin Network hack, where the attacker took over 5 of the bridge’s 9 validators.

Admin Private Key Leak

If the admin key of the smart contract is leaked, all the funds and operation of the smart contract will be at great risk. Recently, the Harmony bridge was exploited via the theft of two private keys. The attack resulted in a theft of roughly $100 million in various cryptocurrencies.

Security Measures

  • Audit Everything, Twice: Mandate multiple independent audits, fuzz testing, and formal verification for contracts. Bug bounties (e.g., via Immunefi) incentivize whitehats.
  • Decentralize and Diversify: Use multi-network validators, slashable staking, and no single points of failure. Proven teams with track records beat untested setups.
  • Key Hygiene: Hardware security modules (HSMs), multi-sig with timelocks, and role-separated access — ditch hot wallets.
  • Monitor and Limit: Deploy AI-driven anomaly detection, circuit breakers, and rate limits (e.g., $10M/hour per asset). Separate monitoring entities add oversight.
  • Edge Case Scrutiny: Test upgrades rigorously, especially defaults and off-chain components. Limit execution paths to shrink attack surfaces.

Conclusion

Cross-chain bridges embody crypto’s promise of boundless connectivity, but their hacks reveal a harsh truth: innovation outpaces security at our peril. From Ronin’s validator fiasco to Wormhole’s code slip, these breaches have cost billions and eroded confidence. Yet, as 2025 unfolds, emerging standards — deeper audits, decentralized guardians, and proactive limits — signal a turning point. For builders and users alike, the lesson is clear: treat bridges not as given infrastructure, but as battlegrounds demanding vigilance. In a truly interoperable future, the strongest chains won’t be the richest — they’ll be the smartest.

If we finally want to give people the opportunity to be their own bank, we must realize that in this case, people must be able to replace all those services and actions for which traditional banks get money!

If you want to support my work, please consider donating me:

Stay safe!

How Cross-Chain Bridges are Hacked? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Also read: GROK AI Predicts How High Dogecoin Price Will Be If Bitcoin Hits $10 Trillion Market Cap
WHAT'S YOUR OPINION?
Related News