Cross-Chain Bridge Security: Threat Models, Historical Exploits, and Vetting Criteria for Bridge Users
Cross-Chain Bridges Are Still the Softest Target in Crypto
If you look at the largest dollar losses in crypto history, bridges sit at the top of the list. Ronin. Wormhole. Nomad. Poly Network. Harmony. Multichain. Together, those incidents alone account for somewhere north of $2 billion in stolen funds, and that's before you count the smaller bridge drains that never made mainstream headlines. Bridges hold huge pools of locked assets, they sit between trust assumptions of two different chains, and their off-chain components are often the weakest link. That combination is catnip for attackers.
So if you're moving assets across chains, or building anything that depends on a bridge, you need a working threat model. Not a vibes-based one. A real one.
This is where a platform like BlockVet earns its keep, but we'll get to vetting workflows in a minute. First, the threats.
What a Cross-Chain Bridge Actually Is (And Why That Matters for Security)
A bridge is a system that lets value or messages move between two chains that don't natively know about each other. The mechanism varies, and the mechanism is the threat model.
The common designs:
Lock-and-mint. User locks an asset on Chain A, a wrapped version is minted on Chain B. The bridge custodies the original. If the custody breaks, the wrapped supply on Chain B becomes uncollateralized paper. This is what happened with Wormhole in February 2022: an attacker forged a signature verification on Solana and minted 120,000 wETH that wasn't backed by anything on Ethereum.
Burn-and-mint. Asset is burned on the source chain, minted on the destination. Cleaner in theory, but you've still got to trust the messaging layer that says "yes, this really was burned."
Liquidity-network bridges. Pools on both sides, no wrapping. Cheaper UX, but the pools are a juicy honeypot, and the rebalancing logic is its own attack surface.
Validator/multisig-secured bridges. A set of off-chain signers attest to events. Ronin used a 9-of-9 multisig where only 5 signatures were required, and Sky Mavis controlled four of them plus a delegated fifth through Axie DAO. Attackers compromised the keys and walked off with $625 million. The contract worked exactly as written. The trust assumption is what failed.
Light-client / zk bridges. Stronger trust model in theory, since one chain verifies the other's consensus directly. Much harder to build correctly. The bug surface moves from "who controls the keys" to "is the verification math right."
Every category has been exploited. The question is never "is this bridge safe," it's "what does this bridge actually trust, and is that thing trustworthy."
The Threat Model, Broken Down
A useful way to think about bridge risk is to split it into four layers. Most exploits hit one of these, sometimes two at once.
1. Smart contract layer. Bugs in the on-chain code. Re-entrancy, signature replay, missing access controls, broken proof verification. Nomad's August 2022 incident is the textbook case: a routine upgrade marked the zero hash as a valid root, which meant any message could be "proven" valid. Once one wallet figured it out, anyone could copy the transaction, change the recipient, and drain the contract. About $190 million gone in a chaotic free-for-all.
2. Validator / signer layer. Whoever controls the keys controls the bridge. Harmony's Horizon bridge fell because two of five multisig keys were compromised. Ronin, same story, bigger numbers. If a bridge has a small signer set, you don't need a contract bug. You need a phishing email and patience.
3. Relayer and oracle layer. The off-chain machinery that watches one chain and reports to the other. If a relayer can be tricked, censored, or front-run, the whole bridge inherits that weakness.
4. Governance layer. Who can upgrade the contracts? Who can pause them? Who can change the signer set? A bridge with a 2-of-3 multisig controlling upgrades is, functionally, a 2-of-3 multisig holding all the user funds. The TVL is whatever those three people decide it is.
A Short History Lesson, Because People Keep Forgetting
The pattern across the big bridge hacks is depressingly consistent. Here's the short version, with the lesson each one taught (or should have taught):
Poly Network, August 2021, around $611 million. Attacker exploited a contract function that let them change the keepers of the bridge to addresses they controlled. Most funds were returned. Lesson: privileged functions need real access control, not just naming conventions.
Wormhole, February 2022, $326 million. Signature verification bug on the Solana side. A deprecated function let the attacker fake a guardian signature. Lesson: deprecated code paths are still attack surface until they're physically removed.
Ronin, March 2022, $625 million. Social engineering against Sky Mavis employees gave attackers control of enough validator keys to forge withdrawals. The exploit wasn't even detected for six days. Lesson: off-chain key custody is your real threat model, and monitoring matters as much as prevention.
Nomad, August 2022, around $190 million. Initialization bug after an upgrade. Lesson: upgrades are exploits waiting to happen if you don't test the post-state.
Harmony Horizon, June 2022, $100 million. Two compromised multisig keys out of five. Same lesson as Ronin, learned by nobody.
Multichain, July 2023, around $126 million. Still murky, but the working theory is that one person (the CEO) controlled the keys, and when he was detained, the bridge went with him. Lesson: "decentralized" in the marketing copy is not the same as decentralized in the key management.
Notice what's missing from this list: cryptographic breaks. Nobody is factoring RSA. The exploits are operational, governance-related, or boring old contract bugs. That's where you should be looking when you vet a bridge.
Vetting Criteria: What to Actually Check Before You Bridge
If you're a user moving funds, or an analyst evaluating a project that depends on a bridge, here's a working checklist. It's not exhaustive. Nothing is. But if a bridge fails several of these, walk away.
Audit history, and the quality of it. Has the bridge been audited? By whom? How recent? Is the audit covering the current deployed code, or some ancestor of it from eighteen months and three upgrades ago? An audit from a reputable firm is a starting point, not a verdict. Read the actual report. Look at what was flagged and whether it was fixed. A clean audit on a complex bridge should make you more suspicious, not less.
Trust model, stated plainly. Can the bridge tell you, in one sentence, who you're trusting? "We trust a 13-of-19 multisig of these named entities." Or, "We trust the Ethereum light client implementation verified by these zk circuits." If the answer is fuzzy, the answer is bad.
Signer set composition. How many signers, what's the threshold, who are they, and are they actually independent? A 5-of-8 multisig where six of the eight are employees of the same company is not 5-of-8 security. It's 1-of-1 security with extra steps.
Upgradeability and timelocks. Can the contracts be upgraded? By whom? Is there a timelock long enough for users to exit if a malicious upgrade is proposed? Twenty-four hours is not enough. Forty-eight is borderline. Seven days is starting to look serious.
Pause and emergency controls. Who can pause the bridge, and under what circumstances? Pause functions are good (Ronin would have helped). Pause functions controlled by a single EOA are not.
TVL versus age. A bridge holding nine figures that launched four months ago is a target wearing a sandwich board. Time in production is the cheapest, dumbest, most reliable security signal we have.
Incident response track record. Has anything gone wrong before? How did the team handle it? Did they communicate? Did they reimburse users? Did they fix the root cause or paper over it? Bridges that have survived a real incident and learned from it are sometimes safer than bridges that have never been tested.
Monitoring and disclosure. Are there public dashboards for bridge reserves? Does locked collateral on Chain A actually match minted supply on Chain B? If you can't verify the peg yourself, you're trusting someone else to do it for you.
Where a Security Intelligence Layer Fits
The honest problem with the checklist above is that it's a lot of work to run by hand, for every bridge, every time. And the state of any given bridge changes. Signer sets get rotated. Upgrades happen. New audits get published. A bridge that scored well six months ago might be hosting a freshly compromised relayer today.
This is the gap that security intelligence platforms try to fill. BlockVet's intelligence dashboard tracks security scoring, risk assessment, and live monitoring across more than 3,000 blockchain projects, with smart-contract audit data, news aggregation tied to security events, and a watchlist for projects you actually care about. For a bridge user, the practical value isn't "the platform tells me which bridge is safe." Nothing tells you that. The value is that you don't have to manually re-check audit status, governance changes, and incident reports across a dozen bridges every week. You get a feed instead of a research project.
For analysts and organizations doing compliance or risk work, the same dashboard doubles as a paper trail. You can show why you flagged a bridge, when, and based on what.
A Few Honest Caveats
No vetting process catches everything. Wormhole had been audited. Ronin's contract was, in isolation, fine. Nomad's bug shipped in an upgrade reviewed by competent engineers. Bridge security is hard because the attack surface spans two chains, an off-chain network, and a human organization, and the attacker only has to find one seam.
So treat any single tool, including security intelligence platforms, as one input. Cross-reference. Read the audits yourself when the stakes are high. Don't move size through a bridge you haven't read about. And if a bridge is offering yields or rates that only make sense if you ignore the tail risk, the tail risk is the product.
If you want to start tracking bridges and the projects depending on them with something more structured than a spreadsheet and a Twitter list, BlockVet's dashboard is a reasonable place to set up a watchlist and let the monitoring run in the background while you do the rest of your work.
Bridges aren't going away. The cross-chain world is too useful, and too profitable, for that. But the security work isn't optional, and the history is clear about what happens when people pretend it is.
Written by the CreatorFetch.com editorial team.