On March 23, 2022, the Ronin bridge lost $625 million. The attacker didn't break any cryptography or find an edge case in Solidity. They compromised five of the nine validator keys that controlled the bridge's multisig. The bridge's smart contracts functioned exactly as designed — they just signed off on fraudulent withdrawals.
That incident captures something important about bridge security: the attack surface isn't just the code. It's the trust model underneath the code.
Why Bridges Are the Highest-Value Target
A bridge's value proposition is also its risk profile. To enable cross-chain transfers, bridges must:
- Lock assets on the source chain — the bridge contract holds the tokens being bridged
- Mint or release equivalents on the destination chain — based on messages or proofs from the source
The locked assets are the target. At peak, individual bridges held over $10 billion in TVL. The attack surface is concentrated: one contract, one exploit, potentially billions drained.
Compare that to a DEX or lending protocol, where risk is somewhat distributed across liquidity pools and positions. A bridge is more like a bank vault with a door that has to open reliably across two different chains. The security of that door is everything.
The Trust Model Spectrum
Bridges exist on a spectrum from fully trusted to trustless, and most real-world bridges sit somewhere in the middle.
Externally Validated Bridges rely on a set of validators (or a multisig) to attest that a message on the source chain is valid before releasing assets on the destination chain. Ronin used this model. Wormhole uses it (19 "Guardians"). Multichain used it — and when the CEO was detained by Chinese authorities in 2023, the private keys went with him, effectively ending the protocol.
The risk: the validator set is the trust anchor. Compromise enough validators, and you control the bridge.
Optimistic Bridges (Nomad, early Across) assume messages are valid and allow a challenge window — typically 30 minutes to 7 days — for fraud proofs to be submitted. Faster than light-client bridges but slower than validator bridges. The Nomad exploit in 2022 drained $190M not by breaking the optimistic model but by a critical implementation bug: a routine upgrade initialized the "trusted root" to zero, which meant any message was valid by default.
Light Client Bridges verify the source chain's consensus directly on the destination chain — essentially running a source-chain verifier as a smart contract. Near Protocol's Rainbow Bridge and IBC (Cosmos) use variants of this. The trust assumptions shrink to the source chain's consensus itself, not a separate validator set. The tradeoff is significantly higher gas costs and engineering complexity.
Recurring Vulnerability Classes
Despite different trust models, bridge exploits cluster around the same code-level failures.
Signature Verification Failures
The most consequential bridge bugs have been in how messages are authenticated. The Wormhole hack ($320M, February 2022) exploited a deprecated Solana syscall that still existed in the codebase. The contract checked signatures using verify_program_account, which an attacker replaced with a spoofed verification contract — effectively forging a valid signature on a fraudulent mint instruction.
// Simplified: the check that should have stopped it
function processMessage(bytes calldata encodedVM) external {
(IWormhole.VM memory vm, bool valid, string memory reason) =
wormhole.parseAndVerifyVM(encodedVM);
require(valid, reason); // This must actually reject invalid signatures
// ...
}
The lesson isn't "use require" — the lesson is that signature verification logic in cross-chain systems is extraordinarily sensitive to implementation details and deserves adversarial review at every change.
Replay Attacks
A message authorizing a withdrawal on Chain B should only be usable once and only on Chain B. Without proper nonce tracking and chain ID binding, the same message can be replayed:
- On the same chain multiple times (if nonce isn't consumed)
- On a different destination chain (if chain ID isn't included in the signed payload)
// Missing: chain ID and nonce in the signed message
function withdraw(
address token,
uint256 amount,
address recipient,
bytes calldata signature
) external {
bytes32 messageHash = keccak256(abi.encodePacked(token, amount, recipient));
// ^ chain ID and nonce are absent — replay possible
require(recoverSigner(messageHash, signature) == trustedRelayer, "Bad sig");
_release(token, amount, recipient);
}
The fix: include block.chainid, a nonce or unique message ID, and the contract address in every signed payload. Mark nonces as consumed before releasing assets.
Incorrect Message Verification
Nomad's $190M loss in August 2022 came down to a single line. During an upgrade, the initialize() function set the trusted root to bytes32(0). The prove() function accepted any message whose root was the trusted root — which was now zero, matching any uninitialized bytes32. Every pending message in the queue was suddenly valid. The exploit was permissionless and quickly copied by hundreds of wallets.
The root cause: initialization logic that wasn't reviewed with the same adversarial lens as the core protocol. Upgrade functions deserve the same scrutiny as the functions they're modifying.
Unbounded Minting
When bridge messages aren't properly verified, the consequence is often unbounded minting on the destination chain. An attacker who can forge a valid "deposit received on source chain" message can mint arbitrary amounts of the bridged token on the destination chain.
The Qubit Finance exploit ($80M, January 2022) followed this pattern: a bug in the deposit function allowed an attacker to call deposit() on the bridge without actually depositing funds on the source chain, triggering a mint on the destination chain against a phantom deposit.
What Better Bridges Do
The exploits above share a common thread: trust anchors that were narrower than assumed and message validation that was weaker than intended.
Bridges that have held up better tend to:
- Minimize validator set centralization — higher N, geographic distribution, hardware security modules for key storage
- Use timelocks on large withdrawals — a mandatory delay on withdrawals above a threshold gives time to detect and pause before funds leave
- Implement circuit breakers — automatic pausing when outflow volume exceeds expected rates, giving the team time to investigate anomalies
- Separate upgrade keys from operational keys — the key that can pause the bridge shouldn't be the same key that can upgrade the contract logic
- Prove rather than attest when possible — light client verification reduces trust assumptions, even at the cost of gas efficiency
None of these are silver bullets. The engineering tradeoffs are real. But the bridges that have avoided catastrophic failure share most of these properties.
For Auditors and Developers
When reviewing bridge code, priority attention areas:
- Every code path that mints or releases assets on the destination chain
- The exact contents of signed messages — chain ID, nonce, contract address, expiry
- How nonces are tracked and whether they're consumed before asset release
- Initialization of critical state variables — especially after upgrades
- Validator set management: how keys are added, removed, and rotated
- What happens during a pause — can funds still be extracted?
ContractScan's static engines catch some of these patterns — signature verification gaps, uninitialized variables, missing access control on mint functions. The cross-chain trust model and message authentication logic require manual review; the scope of what an auditor needs to understand extends beyond the contract itself to the off-chain relayer and validator infrastructure.
Cross-chain infrastructure is the largest attack surface in DeFi by dollar value lost. The pattern is consistent: a bridge raises TVL, becomes a target, and reveals a gap between the security model that was described and the one that was actually implemented. Building or auditing a bridge in 2026 means understanding where that gap tends to appear — before it does.
ContractScan is a multi-engine smart contract security scanner. QuickScan is free and unlimited — no sign-up required. Try it now.