Cross-Chain Bridge Security: How Bridges Work and Why They Break

Frequently Asked Questions

01.Why do cross-chain bridges get hacked so often?

Bridges concentrate value in a single custody contract secured by a small validator set or multisig, making them high-value targets with a narrow attack surface. Signature verification bugs, validator key compromises, and message replay flaws have accounted for over two billion USD in losses since 2021, per Chainalysis (Aug 2022).

02.What is the difference between lock-and-mint and burn-and-mint bridges?

Lock-and-mint locks the native asset on the source chain and mints a wrapped representation on the destination. Burn-and-mint destroys tokens on the source and reissues canonical supply on the destination, keeping total supply constant. Lock-and-mint creates honeypot custody contracts; burn-and-mint removes that risk but needs issuer control on both chains.

03.Which cross-chain bridge is the safest in 2025?

No bridge is risk-free. Architectures using ZK light clients (Polyhedra, Succinct) or native light-client verification (Cosmos IBC, Chainlink CCIP with the Risk Management Network) carry the smallest trust assumptions. Bridges depending on a small external multisig or bonded validator set remain the highest-risk designs.

04.How did the Ronin bridge get hacked?

On March 23, 2022, attackers tied to the Lazarus Group compromised five of nine validator keys, including one delegated to Axie DAO and never revoked. With the 5-of-9 quorum met, they forged two withdrawals totaling 173,600 ETH and 25.5M USDC, roughly 625 million USD at the time (Halborn, March 2022).

05.Can cross-chain bridges be made secure?

Yes, within limits. Rate limits, circuit breakers, ZK light-client verification, 20+ diverse validators, and independent monitoring layers have measurably reduced exploit frequency since 2023. Bridges still trade some trust for every improvement, so design is a tradeoff, not a solved problem.