SolutionsProductsAuditsBlogContactRequest an Audit
BlogThe Bridge Problem: Why Cross-Chain Protocols Lose More Money Than Any Other DeFi Category
The Bridge Problem: Why Cross-Chain Protocols Lose More Money Than Any Other DeFi Category
security-analysis11 min readJune 24, 2026
0xTeam Author
Share

The Bridge Problem: Why Cross-Chain Protocols Lose More Money Than Any Other DeFi Category

Bridges account for nearly 40% of all value stolen in Web3 — over $4B across 49 incidents — despite being a fraction of DeFi TVL. A structural breakdown of why cross-chain protocols concentrate risk, the three failure modes that repeat, and why audits keep missing them.

The numbers are not close.

Cross-chain bridges have been responsible for nearly 40% of all value stolen in Web3, with cumulative losses exceeding $4 billion across roughly 49 bridge incidents between June 2021 and September 2024, according to research from Augusto et al. In 2022 alone, Chainalysis attributed approximately $2 billion in stolen funds to bridge exploits — representing roughly two-thirds of all value stolen from DeFi that year. In 2024, Immunefi data showed that bridges and cross-chain messaging protocols accounted for $1.19 billion of that year's total losses, despite representing fewer than 5% of monitored protocols by count.

2026 has continued the pattern. Eight major bridge exploits drained approximately $329 million in the first five months. In May 2026 alone, bridges claimed $28.62 million of that month's total crypto exploit losses — the largest category by dollar amount, from a protocol class that holds only a fraction of total DeFi TVL. PeckShield's tracking as of June 1, 2026 logged 14 major cross-chain bridge exploits for a combined $340.7 million on the year, and that count does not include the Syscoin bridge exploit on June 7.

No other protocol category generates losses at this ratio. Flash loan attacks are more frequent. Oracle manipulation is more technically sophisticated. Private key compromises are operationally simpler to execute. But measured by dollars extracted per incident, and by the proportion of total losses attributable to a single protocol category, bridges are in a class of their own.

This is not a streak of bad luck. The largest single bridge exploits span five years and multiple architectural generations: Ronin ($624M, March 2022), Wormhole ($320M, February 2022), Nomad ($190M, August 2022), Kelp DAO ($292M, April 2026), Drift ($285M, April 2026). Drift and Kelp alone are both larger than any single DeFi exploit recorded in either 2023 or 2024. The technology changes. The failure modes repeat. The losses keep growing.

The question is not whether bridges are dangerous. The data has answered that. The question is why — structurally, architecturally — and whether the problem is solvable.

Why Bridges Concentrate Risk

A cross-chain bridge does something that most DeFi protocols do not: it holds custody of assets from multiple chains simultaneously.

When you bridge ETH from Ethereum to Base, your ETH does not teleport. It is locked in a smart contract on Ethereum. A corresponding representation of that ETH is minted on Base. The bridge contract on Ethereum now holds your ETH in reserve against the wrapped token in circulation on Base. Scale this across a protocol that supports twenty chains — and some do — and the bridge contract becomes a single smart contract holding collateral for the entire multi-chain ecosystem it serves.

This is the fundamental risk concentration problem. A bridge holds the reserve backing every wrapped token in circulation across every chain it serves. One vulnerability, one misconfiguration, one compromised key set — and every chain in the ecosystem is exposed simultaneously.

As of 2025, total value locked in cross-chain bridges reached $55 billion, with monthly bridging volumes surpassing $23 billion. That is the aggregate prize pool sitting behind bridge security. The attack surface of a bridge scales with the number of chains it connects. The value at risk scales with the total assets in circulation across all of them. Every new chain a bridge supports increases both.

The Kelp DAO exploit in April 2026 made this concrete. An attacker forged a cross-chain message on the protocol's LayerZero-powered bridge, releasing approximately 116,500 rsETH. That token backed positions across more than twenty chains — Base, Arbitrum, Linea, Scroll, and others. One flaw in message verification. Twenty ecosystems exposed. $292 million drained. Aave froze markets and lost over $8.45 billion in deposits within 48 hours as a direct consequence of the contagion.

This is not a scenario that exists in single-chain DeFi. A bug in a lending protocol on Arbitrum affects Arbitrum users. A bug in a bridge serving twenty chains affects twenty chains' worth of collateral. Every new integration multiplies both the utility and the blast radius.

The Three Failure Modes That Repeat

Five years of bridge exploits cluster around three structural failure modes. Individual incidents have unique implementation details. The categories they belong to are remarkably stable.

Validator Compromise

The Ronin bridge, which served the Axie Infinity ecosystem, relied on nine validator nodes. Five signatures were required to authorize withdrawals. The attacker compromised four nodes belonging to Sky Mavis and one belonging to the Axie DAO over a period of days. No alert fired. The compromise was only discovered five days later, when a user reported being unable to withdraw. By then, 173,600 ETH and 25.5 million USDC — totalling over $624 million — had been taken.

The attack was not a smart contract exploit. It was not a cryptographic break. It was a social engineering and infrastructure compromise operation targeting the humans and machines that controlled the validator set.

Ronin is not unique. Harmony's Horizon bridge suffered a similar validator key compromise in 2022. The Drift Protocol hack in April 2026 — $285 million — was the result of a six-month social engineering operation targeting the individuals with control over administrative keys, attributed by investigators to the Lazarus Group, North Korea's state-affiliated hacking unit. Drift's TVL collapsed from $550 million to under $300 million within an hour of the exploit becoming public.

Research by IC3, the Initiative for CryptoCurrencies and Contracts, found that validator-set bridges become economically insecure whenever the cost of corrupting a threshold of validators falls below the value of assets the bridge secures — a condition that is regularly met in practice for bridges securing hundreds of millions with validator sets earning annualized yields of a few percent. Validator set size matters less than the economic relationship between validator collateral and bridge TVL.

Proof and Message Verification Failures

The second category covers failures in how bridges verify that a claimed event on Chain A actually occurred before authorizing an action on Chain B.

Wormhole lost $320 million in February 2022 when an attacker exploited a signature verification vulnerability in the bridge's Solana contracts. The protocol used a custom signature validation function rather than a system call. The custom implementation had a flaw that allowed the attacker to bypass the check entirely — a fake deposit on Solana was made to appear legitimate and 120,000 ETH were minted on Ethereum against it. CertiK's 2025 annual security report noted that input validation failures remain the most common root cause across all DeFi exploit categories, and bridge message-processing surfaces are among the widest in the ecosystem.

Nomad lost $190 million through a different mechanism in August 2022. A routine upgrade set the value of a trusted root to zero. Because the message verification logic checked incoming messages against this trusted root, any message was now technically valid. Once one attacker demonstrated this, hundreds of others copied the exploit transaction and changed the destination address. Researchers tracking the Nomad attack documented 382 attacking transactions on-chain — a crowdsourced drain that unfolded in hours.

The Syscoin bridge hack in June 2026 belongs here as well. The attacker crafted a transaction with two asset commitments pointing at the same output — one for native SYS, one for a custom test token. Syscoin Core and the NEVM relay parsed the ambiguous payload differently, with the relay treating it as a valid burn of native SYS. The proof was invalid. The parser reported it as valid. The relay authorized the mint of 5 billion SYS, inflating the protocol's circulating supply by 568% in a single transaction.

The common thread is not cryptographic weakness. The cryptographic schemes in all three protocols were sound. The failures were in implementation — verification code, configuration, parsing logic. Code that processes trust-critical inputs received less adversarial scrutiny than the inputs warranted.

Configuration and Governance Failures

The third category covers misconfiguration and governance design decisions that create single points of failure even when the underlying smart contract code is correct.

The Kelp DAO exploit exploited a LayerZero default configuration in which the RPC quorum was set to 1-of-1. A single node — the minimum possible trust threshold — was sufficient to authorize cross-chain messages. One compromised node meant full control over the message layer. In a system backing $292 million of collateral across twenty chains, a 1-of-1 quorum is not a security model. It is the absence of one.

This class of failure is distinct from the previous two. The code may be correct. The cryptography may be sound. The validator set may be intact. But if the configuration parameters that govern trust thresholds, quorum requirements, time locks, and upgrade delays are set incorrectly — deliberately or through misunderstanding of defaults — the security properties the architecture is supposed to provide do not exist.

Why Audits Miss Bridge Vulnerabilities

The persistence of bridge exploits despite extensive use of audit services raises a question that the industry has not adequately answered.

Ronin had been reviewed. Wormhole had been reviewed. Nomad had been reviewed. Kelp DAO had been reviewed. The audit industry has not failed to identify any bridge vulnerabilities — reports from major firms contain findings of real consequence. But the exploited vulnerabilities in the incidents above were not caught by pre-deployment reviews. Several structural factors explain this.

  • Smart contract auditors are optimized for smart contract review. Bridge vulnerabilities increasingly live in the off-chain components — the relay processes, the validator infrastructure, the proof parsers, the message queues. These are not Solidity. They are Go, Rust, Python. They require different tooling and different expertise. A firm that is excellent at EVM security may have limited depth in adversarial review of off-chain bridge relay code. The Syscoin exploit was not in any Solidity contract. It was in the relay's C++ parsing logic.
  • Infrastructure security is treated as separate from smart contract security. The Ronin and Drift exploits were infrastructure and social engineering attacks. The smart contract code was not the vulnerability. But audit engagements are typically scoped to the contracts. The validator key management procedures, the signer OpSec, the access controls on the infrastructure running the bridge — these may receive a brief review but not the adversarial testing they warrant. Nation-state-level attackers bring six months of patience to these attacks. Brief reviews are not a match for that.
  • Configuration review is not standard. The Kelp DAO exploit was a configuration failure, not a code failure. Pre-deployment audits review code. They do not always systematically audit the configuration parameters the code will be deployed with. A 1-of-1 quorum setting may never appear in an audit report because no auditor checked that default.

What a Complete Bridge Security Program Looks Like

The pattern across five years of bridge exploits suggests that standard smart contract audit engagements, while necessary, are not sufficient for bridge security. The required scope is broader.

  • Full-stack coverage means auditing the off-chain components with the same adversarial intensity as the contracts. Relay processes, proof parsers, event listeners, and message queues handle trust-critical operations. Their security cannot be assumed from a review of the contracts they serve. This includes testing for differential parsing — ensuring that all components that process the same payload agree on what it means.
  • Infrastructure security assessment means treating the validator set, key management procedures, and signer OpSec as attack surfaces. Nation-state attackers have demonstrated that social engineering and infrastructure compromise are viable paths to nine-figure bridge exploits. Bug bounty programs help at the margins — Wormhole and LayerZero both offer up to $2.5 million for critical vulnerabilities, and total bounties paid across all Immunefi programs exceeded $100 million cumulatively by 2025 — but bounties do not address the social engineering vector.
  • Configuration audit means reviewing every deployment parameter against the security assumptions the architecture requires. Quorum thresholds, time lock values, upgrade delays, oracle aggregation windows — each has a minimum secure value. Deploying with defaults that fall below that minimum voids the security model.
  • Continuous monitoring means treating bridge security as an ongoing operational discipline, not a deployment-time event. The Ronin exploit went undetected for five days. Modern monitoring tooling from Forta Network and Chainalysis KYT is meaningfully better than what existed in 2022, and several bridge protocols have now implemented automated circuit breakers that pause withdrawals above a threshold value pending manual review. But automated detection of bridge exploits still lags the speed at which sophisticated attackers can drain contracts once they have identified a vulnerability. The window between first malicious transaction and total drainage can be minutes.

The Fundamental Tension

There is a version of the bridge problem that may not be fully solvable with current technology.

Bridges exist because blockchains are siloed. Bitcoin cannot natively verify Ethereum state. Ethereum cannot natively verify Solana state. The economic demand for interoperability is real — $55 billion in TVL and $23 billion in monthly volume demonstrate that. The technical solution to that demand requires some trusted mechanism for verifying cross-chain events — whether that mechanism is a validator set, an optimistic fraud-proof window, a ZK proof, or a light client.

Each of these trust mechanisms has a security model. Each security model has parameters. Each parameter has a minimum value below which the security model breaks. And each of these systems, deployed into the real world, faces attackers who are patient, well-resourced, and specifically targeting the gaps between the security model as designed and the security model as deployed.

The ZK proof-based bridge designs that have gained traction since 2023 reduce the trusted human element. Succinct Labs' SP1 prover demonstrated in 2024 that ZK proofs of EVM execution can be generated with commodity hardware in near-real-time — a technical milestone that makes ZK light client bridges viable for production at scale. This is a meaningful improvement over the validator set designs responsible for 2022's largest losses. It does not eliminate the attack surface. ZK verifier contracts are complex code. The circuits that generate the proofs have had implementation vulnerabilities. The infrastructure running the provers is subject to the same operational security requirements as validator infrastructure.

Progress is real. The industry is moving toward trust-minimized bridge designs, monitoring tooling has improved, and bridge-specific losses did drop from roughly $2 billion in 2022 to under $300 million in 2024. But the 2026 data — $340 million in bridge losses before June, with Kelp and Drift individually exceeding any single exploit in 2023 or 2024 — suggests the gap between current bridge security practices and the threat environment they operate in remains wide. The attacks are getting larger even as the architecture improves.

Bridges are not a solved problem. They are the highest-value, highest-failure-rate category in DeFi, and the failure modes that drove losses in 2022 are still driving losses in 2026. The architecture is more sophisticated. The audits are more thorough. The attackers are better funded and more patient. The numbers have not moved decisively in the defender's favor.

That gap is the problem. Understanding it structurally — not as a series of isolated incidents, but as a systemic pattern with identifiable causes — is the first step toward closing it.
++
Worried? Get your security audit done today.

Don't launch vulnerable code. Our team will review your smart contracts and deliver a full audit report within 48 hours.

Request Audit
© 0xTeam space 2026. All rights reserved.