The short answer is that assets get drained from one side of the bridge while the synthetic versions of those assets on the other side become worthless or unbacked. But that summary skips the mechanism — and the mechanism is what determines who loses what, how fast, and whether there's any path to recovery.
What a Bridge Actually Holds
A cross-chain bridge exists to move value between blockchains that can't communicate natively. Ethereum and Arbitrum don't share state. Neither do Ethereum and Solana, or Ethereum and BSC. To transfer ETH to Arbitrum, you're not actually moving ETH — you're locking ETH in a smart contract on Ethereum, and minting a corresponding wrapped token on Arbitrum. When you bridge back, the wrapped token is burned and the original ETH is released.
This means bridges become vaults. A bridge with $500M of assets bridged has $500M of real assets sitting in smart contracts on the source chain, plus synthetic representations of those assets circulating on the destination chain. That's a significant honeypot.
The attack surface is everything that controls the minting on one end or the releasing on the other. And those are very different things, which is why bridge exploits have taken several distinct forms.
How the Exploits Actually Happen
Smart contract bugs are the most common failure mode. The Wormhole bridge lost $320M in February 2022 when an attacker found a flaw in the Solana-side contract that allowed forged guardian signature verification. The attacker essentially claimed that 120,000 ETH had been deposited on Ethereum without depositing anything. The Solana contract minted 120,000 wETH to the attacker. The Ethereum vault wasn't touched — the failure was that the Solana side didn't verify the deposit had actually occurred.
The Nomad bridge exploit in August 2022 was a different failure mode. A configuration update introduced a flaw that made every transaction pass validation automatically. Once a few sophisticated actors discovered this, the information spread. Hundreds of independent wallets drained the $190M bridge over several hours by copy-pasting the original attacker's transaction and changing the recipient address. A chaotic, crowdsourced drain.
Key compromise is the other major category, and it's arguably scarier because no amount of smart contract auditing helps. The Ronin bridge (Axie Infinity's network) lost $625M in March 2022 not because of a code bug but because Lazarus Group — North Korea's state-sponsored hacking unit — compromised five of nine validator private keys through social engineering and an exploited RPC node. With five keys, they met the threshold and approved withdrawals of 173,600 ETH and $25.5M USDC. The bridge contract worked exactly as coded.
The Harmony Horizon bridge ($100M, June 2022) followed the same pattern: two of five multisig keys compromised, threshold met, funds out.
What Happens to Users
When the vault gets drained, bridged assets on the destination chain become unbacked. If you hold wETH (Wormhole-bridged ETH) on Solana and the Wormhole vault on Ethereum gets emptied, your wETH is now backed by nothing. In theory it can still be sold on DEXes — until the market prices in the loss, which tends to happen quickly.
The secondary exposure is worth flagging. If you're using DeFi protocols built on top of bridged assets — lending pools, yield strategies, anything that accepts bridged tokens as collateral — you can have exposure you didn't intentionally take on. The bridge failure propagates through anything downstream of it.
Bridge protocols often freeze operations when an exploit is detected, but by that point the draining has usually completed. Response times for bridge exploits tend to be measured in hours, partly because the on-chain evidence is clear but the off-chain coordination — who has authority to pause, where they are, whether they're awake — isn't.
Recovery: The Rare Cases and the Common Ones
Jump Crypto backstopped the Wormhole exploit by injecting 120,000 ETH into the vault within days. Users were made whole. This was possible because Wormhole had a well-capitalized backer with strong reputational incentives. Not the norm.
Poly Network's $611M exploit in 2021 ended unusually — the attacker eventually returned almost all the funds, claiming the exploit was a demonstration. Vanishingly rare.
Most exploits don't end with recovery. Nomad users weren't made whole by the protocol. Harmony Horizon users weren't. Ronin users were eventually compensated through a combination of company reserves and a future token sale commitment — but Sky Mavis had to raise $150M to cover it, and the process took years.
The general rule: if a well-funded entity has strong financial reasons to backstop the loss, recovery is possible. Otherwise, the funds are gone.
Why Bridges Are Structurally Riskier Than Other Protocols
Standard smart contracts operate in one execution environment. Bridges operate across two — and each bridge is essentially an attempt to synchronize state between systems that have no shared trust model. Whatever enforces that synchronization (another smart contract, a validator set, an optimistic challenge mechanism) has its own failure mode.
Unlike a DEX or lending protocol, a bridge also tends to be a single point of failure for a large amount of downstream value. If a liquidity pool gets exploited, that pool's funds are at risk. If a bridge gets exploited, every asset whose backing depends on that bridge is at risk simultaneously. The TVL-in-contracts number understates the exposure because bridged assets get reused as collateral, wrapped again, deposited in yield strategies. One failure propagates.
This is why bridges have consistently attracted the largest hacks in DeFi history. They're not just valuable targets — they're structurally difficult to secure because of the cross-chain trust problem.
What's Changing
The main structural shift is toward bridges that prove message validity cryptographically rather than attesting to it through a validator set.
Zero-knowledge light clients — where the destination chain verifies a ZK proof of the source chain's state — eliminate the key compromise attack vector entirely. There's no key to steal because the bridge doesn't rely on trusted signers. The proof either validates or it doesn't. Succinct Labs' Telepathy protocol and zkSync's native bridge use this approach. The tradeoff is computational cost and latency; generating ZK proofs isn't free or instant.
Most serious bridge protocols now also implement circuit breakers — rate limits on how much can be withdrawn within a given time window. This doesn't prevent exploits, but it limits the blast radius and buys time for response. An attacker who triggers a circuit breaker alerts the team before all funds are drained. It's a defensive mechanism, not a fix.
Confirmation and Invalidation
Confirmation: ZK bridge adoption at scale with clean security track records; absolute losses declining relative to bridge TVL over multiple cycles; circuit breakers successfully limiting exploit damage in practice.
Invalidation: Continued large-scale losses at formally audited bridges; ZK proof generation systems developing their own critical bugs; social engineering attacks scaling faster than multisig threshold improvements.
Timing Perspective
Now — active risk. Bridges collectively hold tens of billions in assets. Smart contract vulnerabilities and key management failures are both live attack surfaces. Anyone holding assets that originated on a different chain has bridge exposure, even if they don't think of it that way.
Next — ZK light client bridges moving from research and early deployment toward production use at significant TVL. Better multisig tooling and threshold schemes. Broader adoption of circuit breakers as standard practice.
Later — if trust-minimized cross-chain messaging becomes deeply standardized infrastructure with years of security track record, the risk profile changes substantially. That's probably years away, and "battle-tested" has to be earned, not assumed.
Boundary
This covers exploit mechanics and user exposure. It doesn't address the regulatory treatment of bridge losses, tax implications of losing bridged assets, or the current security status of any specific bridge. A bridge that's been audited is not the same as a bridge that's safe — audit history reflects a point in time and the code as-deployed, not ongoing operational security or key management practices.
