Crypto Research

Why Crypto Bridges Keep Getting Hacked

Crypto bridges have lost billions to exploits — Ronin ($625M), Wormhole ($320M), Nomad ($190M). This post explains the structural reasons why: concentrated liquidity, validator compromise, and the hard problem of cross-chain verification.
Lewis Jackson
CEO and Founder

Crypto bridges have lost more money to exploits than almost any other category in the industry. Ronin Network: $625 million in 2022. Wormhole: $320 million. Nomad: $190 million. Poly Network: $611 million. These aren't obscure protocols — Ronin was supporting one of the most popular blockchain games ever built when it was drained.

The question people ask is usually "what went wrong?" But the more useful question is structural: why do bridges keep getting hacked, not just once but repeatedly across different codebases and different teams? Is it bad code? Rushed development? Something inherent to the design?

The answer involves all three. But there's a specific mechanism at the center that makes bridges uniquely dangerous: they're trust anchors for enormous amounts of locked capital, and they rely on systems that are fundamentally harder to secure than a single blockchain.

What Bridges Actually Do

To understand why bridges get hacked, you need to understand what a bridge does. When you bridge an asset from Ethereum to Solana, your ETH doesn't physically travel anywhere. What happens instead: your ETH gets locked (or burned) on Ethereum, and an equivalent representation — a wrapped token — gets minted on Solana. When you bridge back, the wrapped token is burned and the original ETH is released.

This means bridges hold real assets in custody. Every ETH that's been bridged sits in smart contracts on the source chain, waiting. Those contracts become what security researchers call a honeypot — a single point of concentrated value accessible to anyone who can fool the system.

The bridge's security depends on one thing: correctly verifying that events happened on the other chain. Did someone really lock ETH on Ethereum before we mint the wrapped version? Did the user really burn their Solana token before we release the ETH? Answering those questions requires reading state from a different blockchain — and that's where things get structurally complicated.

The Three Main Failure Modes

Different bridges solve the verification problem in different ways. Each approach has its own failure mode, and all of them have been successfully attacked.

Validator-based bridges use a set of designated validators — often a small group — who attest that cross-chain events happened. Ronin used nine validators. An attacker who could compromise five of those nine private keys could approve fraudulent withdrawals. That's exactly what happened: through a combination of social engineering and a backdoor left open in a legacy RPC node, attackers compromised enough keys to sign $625 million in withdrawals that the protocol had no way to reject.

Small validator sets aren't unique to Ronin. Many bridges use small multisigs because larger validator sets introduce coordination complexity and slow the system down. Teams make a tradeoff between security and usability, and attackers target that tradeoff.

Smart contract logic bugs work differently. Wormhole's $320 million hack came from a flaw in signature verification. The bridge's code was supposed to check that a guardian had signed a message before accepting it as valid — a reasonable requirement. A bug in the implementation allowed an attacker to spoof a valid signature using a deprecated system call. The bridge accepted the forged attestation and minted $320 million of ETH on Solana that wasn't backed by anything on Ethereum.

This type of vulnerability can be invisible to reviewers. The code does what it says it does. It's just that "what it says" has an exploitable gap. And because bridge code handles large amounts of value, a single logic error in a signature check can be catastrophic.

Optimistic verification is a third model — assume messages are valid unless someone challenges them within a dispute window. Nomad used this approach. The $190 million hack came from an initialization error that made every message auto-valid. Attackers didn't need a sophisticated exploit. They copied a known attack transaction, changed the destination address to their own wallet, and submitted it. Bots noticed, copied it again with different addresses, and the protocol was drained in hours. No technical sophistication required — just an open door.

Where the Constraints Actually Live

Three structural factors explain why bridge security is so difficult.

First, bridges require trust in an external system. A single blockchain's security comes from thousands of nodes reaching consensus on a shared history. A bridge needs a separate mechanism to verify events on that chain — one that's rarely as decentralized or battle-tested as the chains it connects. You're adding a trust layer on top of existing trust layers, and each new layer is another attack surface.

Second, bridges concentrate liquidity. Every asset that gets bridged accumulates on the source side. A bridge processing $1 billion in assets has $1 billion sitting in a single set of contracts. The larger the bridge, the more attractive the target.

Third, complexity compounds risk. Bridges typically involve multiple smart contracts, validator sets or guardian networks, oracle systems, and relayers. Every component is an attack surface. Every interaction between components is a potential logic error. More moving parts means more places where the system can be fooled.

These constraints aren't unique to poorly designed bridges. They're structural. Even well-audited, well-funded bridges have been compromised because the underlying architecture creates concentrations of risk that are hard to eliminate.

What's Changing

A few directions are worth watching. Zero-knowledge proof bridges are gaining traction — instead of trusting validators to attest that something happened, a ZK proof mathematically verifies it. This eliminates the validator compromise vector entirely. ZK bridges introduce their own complexity and verification requirements, but the trust model is different in a meaningful way.

Layered security models are also becoming more common: time delays on large withdrawals, rate limits, emergency pause mechanisms. These don't prevent attacks, but they reduce the blast radius when something goes wrong. A bridge that can pause withdrawals during an anomaly is materially safer than one that can't.

Some of the more widely used bridges have moved toward protocol-owned security models, where validators have economic stake at risk through slashing. The theory: validators who can be punished financially have stronger incentives to behave correctly. Whether this closes the gap meaningfully is still being tested.

The fundamental problem — bridging requires trusting external verification of events you can't directly observe — hasn't been eliminated by any of these approaches. ZK proofs get closest, but they're still early and complex.

What Would Confirm Improvement

  • ZK-proof bridges sustaining significant TVL without major exploits over 12+ months
  • Reduction in bridge hack frequency relative to total bridge TVL
  • Validator set sizes increasing without proportional latency cost — indicating better distributed key management

What Would Weaken That Case

  • A ZK-based bridge with substantial TVL suffering a significant exploit, suggesting ZK proofs haven't resolved the attack surface
  • Bridge hacks shifting toward oracle or relayer vulnerabilities rather than validator compromise — implying the attack surface changed shape rather than shrunk
  • New bridge designs continuing to concentrate risk in small multisigs despite known failure modes

Timing Perspective

Now: Bridge security remains a live risk. The mechanisms that made past hacks possible — small validator sets, concentrated liquidity, complex cross-chain verification — are still present in most production bridges.

Next: ZK-proof bridges and improved key management (MPC, threshold signatures) are deploying at scale. Their real-world security records will become clearer over the next 12–18 months.

Later: Truly native cross-chain messaging without wrapping would eliminate the honeypot dynamic entirely. Currently theoretical at any meaningful scale.

Boundary

This post explains the structural reasons bridges are repeatedly targeted — not a risk assessment of any specific protocol. TVL, validator configurations, and smart contract audit status change frequently and aren't assessed here.

The mechanisms described here are the ones that produced the largest hacks in crypto history. The tracked version of this analysis — including which architectures have shown better structural resistance and what signals indicate when that's changing — lives elsewhere.

Related Posts

See All
Crypto Research
New XRP-Focused Research Defining the “Velocity Threshold” for Global Settlement and Liquidity
A lot of people looking at my recent research have asked the same question: “Surely Ripple already understands all of this. So what does that mean for XRP?” That question is completely valid — and it turns out it’s the right question to ask. This research breaks down why XRP is unlikely to be the internal settlement asset of CBDC shared ledgers or unified bank platforms, and why that doesn’t mean XRP is irrelevant. Instead, it explains where XRP realistically fits in the system banks are actually building: at the seams, where different rulebooks, platforms, and networks still need to connect. Using liquidity math, system design, and real-world settlement mechanics, this piece explains: why most value settles inside venues, not through bridges why XRP’s role is narrower but more precise than most narratives suggest how velocity (refresh interval) determines whether XRP creates scarcity or just throughput and why Ripple’s strategy makes more sense once you stop assuming XRP must be “the core of everything” This isn’t a bullish or bearish take — it’s a structural one. If you want to understand XRP beyond hype and price targets, this is the question you need to grapple with.
Read Now
Crypto Research
The Jackson Liquidity Framework - Announcement
Lewis Jackson Ventures announces the release of the Jackson Liquidity Framework — the first quantitative, regulator-aligned model for liquidity sizing in AMM-based settlement systems, CBDC corridors, and tokenised financial infrastructures. Developed using advanced stochastic simulations and grounded in Basel III and PFMI principles, the framework provides a missing methodology for determining how much liquidity prefunded AMM pools actually require under real-world flow conditions.
Read Now
Crypto Research
Banks, Stablecoins, and Tokenized Assets
In Episode 011 of The Macro, crypto analyst Lewis Jackson unpacks a pivotal week in global finance — one marked by record growth in tokenized assets, expanding stablecoin adoption across emerging markets, and major institutions deepening their blockchain commitments. This research brief summarises Jackson’s key findings, from tokenized deposits to institutional RWA chains and AI-driven compliance, and explains how these developments signal a maturing, multi-rail settlement architecture spanning Ethereum, XRPL, stablecoin networks, and new interoperability layers.Taken together, this episode marks a structural shift toward programmable finance, instant settlement, and tokenized real-world assets at global scale.
Read Now

Related Posts

See All
No items found.
Lewsletter

Weekly notes on what I’m seeing

A personal letter I send straight to your inbox —reflections on crypto, wealth, time and life.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.