Cross-chain bridges had become attractive targets because they hold large pools of value locked in smart contracts while issuing representations of those assets on other networks. When attackers find a way to bypass verification controls or gain access to privileged keys, they can move assets out of those pools very quickly.
Incidents since 2022, including Wormhole and Ronin in 2022, Harmony’s Horizon Bridge and BNB Chain’s Token Hub, and later Force Bridge in 2025 and CrossCurve in 2026, show that the same classes of weakness continue to recur. Public post-incident reporting focuses on seven main areas: message verification, key and validator security, operational centralization, upgrade risk, accounting design, detection and response, and the use of bridges in laundering.
Key Security Insights from Cross-Chain Bridge Exploits
- Chainalysis estimated in 2022 that about $2 billion had been stolen across 13 cross-chain bridge hacks, accounting for most funds stolen that year.
- Bridge exploits between 2020 and early 2026 cluster around flawed message verification, compromised keys and validators, operational centralization, risky upgrades, drain-prone pool designs and slow detection.
- Case studies of Wormhole, Ronin, Harmony’s Horizon Bridge, BNB Chain’s Token Hub, Force Bridge and CrossCurve show how small control failures can produce multi-million dollar losses.
- Architecture decisions such as pooled custody and unlimited minting determine whether a single bug can drain an entire bridge or only a limited portion of its assets.
- Developers can reduce systemic bridge risk with on-chain verification where feasible, strict value limits, hardware- or MPC-backed keys, transparent governance and rehearsed incident response plans.
Bridges as Cross-Chain Messaging Systems
Chainalysis describes cross-chain bridges as protocols that let users port digital assets from one blockchain to another by locking tokens on a source chain and issuing equivalent assets on a destination chain. Users typically send funds to a bridge contract, which holds those funds while the user receives a parallel asset on the target network backed by the locked collateral.
In technical terms, a bridge is a messaging system that convinces one blockchain to accept a claim about events on another chain. To release or mint tokens, the bridge’s contracts on the destination chain must verify that a corresponding lock, burn or state update occurred on the source chain.
Designs differ, but most combine on-chain verification logic with off-chain actors such as relayers or validators that assemble and submit proofs or signatures. Security therefore reduces to two broad problems.
The first is whether the verification logic on the destination chain correctly checks that a message is genuine and unmodified. The second is whether the entities allowed to sign or relay those messages can be trusted not to abuse or lose their authority.
The same Chainalysis analysis notes that bridges often centralize funds that back the bridged assets in a single storage point on the sending chain. Regardless of whether that storage is a custodial account or a smart contract, a flaw that lets attackers bypass verification or misuse privileged roles can cause losses across the entire pool rather than in individual user accounts.
More Technology Articles
Verification Failures and Compromised Authority
Many bridge hacks trace back to mistakes in message verification, where the destination chain accepts a forged or replayed message as valid. Common issues include missing or incomplete signature checks, incorrect assumptions about how proof data is formatted, insufficient replay protection and weak separation between different message types or source domains.
Halborn’s analysis of the Wormhole incident in February 2022 explains that the bridge’s Solana contract delegated signature verification through several functions. It relied on a deprecated instruction-loading command that did not fully validate a system address. As a result, an attacker could bypass proper signature checks and mint 120,000 wrapped ETH, valued at about 326 million dollars at the time, without providing the required authorization on the locked side of the bridge.
A 2026 write-up from Halborn describes CrossCurve as a cross-chain bridge that suffered an estimated three million dollar loss in February 2026. The report attributes the incident to access control vulnerabilities in the contract that received messages from Axelar. This allowed an attacker to make the contract treat crafted inputs as if they originated from the trusted messaging system and release tokens without a corresponding deposit on another chain.
The second major category involves the authority used to approve bridge operations. In its review of the March 2022 Ronin Network hack, Halborn notes that the bridge relied on a set of validator nodes. Compromised private keys allowed the attacker to obtain approvals from a quorum of those validators. With sufficient signing authority, an attacker can initiate withdrawals that the bridge logic will accept as valid even if the underlying on-chain event never occurred.
An FBI press release in early 2023 states that the bureau attributed the theft of 100 million dollars from Harmony’s Horizon Bridge in June 2022 to the North Korean-linked Lazarus Group. The same notice lists a series of cryptocurrency wallets that the FBI associates with that theft. This highlights that state-linked actors regard bridge credentials and privileged keys as strategically important assets to compromise.
Halborn’s 2025 post on the Force Bridge hack examines a cross-chain bridge connecting the Nervos Network to other blockchains and reports an estimated loss of about 3.76 million dollars. The analysis describes the root cause as an access control issue in which an attacker used private keys to call privileged functions in the bridge contracts, unlocking and draining tokens on Ethereum and BNB Smart Chain.
Combined with the Ronin and Horizon incidents, this shows that key and validator security failures can be as damaging as direct smart contract bugs.
Architecture, Governance and Operational Weaknesses
Public reporting on bridge incidents also emphasizes the role of architecture and governance. Cross-chain bridges commonly pool user deposits in a single contract that issues corresponding tokens on other networks. When verification or access control fails, that design allows an attacker to withdraw or mint value up to the size of the entire pool instead of only affecting a single user position.
The BNB Chain team’s ecosystem update from October 2022 explains that an exploit affected the native bridge between BNB Beacon Chain and BNB Smart Chain, known as BSC Token Hub. According to that post, an attacker withdrew a total of 2 million BNB after forging a low-level proof used in a shared library. This took advantage of the way the bridge validated messages before releasing tokens on the smart contract side.
The same BNB Chain statement describes how validators coordinated to halt the chain in order to contain the incident and notes that the majority of funds remained under control as a result. This illustrates how architectural choices such as relying on a single bridge contract, combined with governance mechanisms that permit emergency pauses, can both concentrate risk and provide a last line of defense when something goes wrong.
Bridges also evolve over time through upgrades that add new chains, adjust parameters or modify verification logic. Each change to the contracts that check cross-chain messages or manage custody introduces a fresh set of assumptions. Without strict review processes, timelocks and transparent governance, a legitimate configuration change can unintentionally create an easy path for unauthorized mints or withdrawals across every network the bridge supports.
Operational centralization can further increase the impact of such errors. Even when projects describe bridges as decentralized, day-to-day control over deployment keys, cloud infrastructure, signing hardware and upgrade pipelines often rests with a relatively small engineering or operations group. If those accounts are compromised or misused, an attacker may gain broad control over bridge behavior without needing to find a low-level protocol bug.
Detection, Incident Response and Laundering Through Bridges
Several post-mortems emphasize how quickly bridge exploits unfold and how important monitoring and response procedures are. In its Force Bridge analysis, Halborn notes that the attacker made multiple failed attempts over roughly six hours before successfully draining the protocol. The report argues that effective monitoring of privileged calls could have given the team time to revoke access or move funds to safer locations before the attack succeeded.
The BNB Chain update explains that validators paused the BNB Smart Chain by contacting validators individually and coordinating a halt to block production. While such interventions carry their own trade-offs, that example shows that predefined communication channels, clear pause authority and practiced coordination can limit the damage from an active exploit.
Bridges also appear in the laundering phase after major thefts. A December 2025 blog post from Chainalysis on North Korea-linked activity reports that DPRK hackers stole about 2.02 billion dollars in cryptocurrency in 2025. It describes their strong preference for bridge services, mixing protocols and Chinese-language money laundering networks when moving stolen funds.
The same analysis highlights that DPRK-associated laundering often follows a structured, multi-stage pattern over roughly 45 days. In this pattern, cross-chain bridges are used alongside mixers, instant exchanges and specialized over-the-counter services. This means that even if an initial exploit targets a protocol on a single chain, the funds can quickly propagate across multiple networks.
This multiplies the number of entities that must coordinate to freeze, track or recover assets. For bridge operators, this has two implications.
First, the speed at which funds move through bridges and other services limits the time available to intervene after an attack is detected. Second, the fact that attackers deliberately use bridges to fragment stolen assets underscores that bridge operators, analytics firms and law enforcement will often be working on the same incidents from different vantage points.
Design and Operational Practices for Cross-Chain Developers
The case studies above suggest that security for cross-chain bridges depends on a combination of architecture, verification rigor and operational discipline. On the architecture side, designs that minimize pooled custody or limit what each message can authorize reduce the maximum loss from a single failure. This can include per-transaction caps, route-specific ceilings, delayed finalization for large transfers and rate limits that slow down any unexpected volume spikes.
Verification logic should be kept as small and transparent as possible, with clear invariants around which messages are accepted and how signatures or proofs are validated. Independent audits are most useful when they focus on those invariants, replay protections and domain separation rather than on general coding style.
Where resources allow, formal verification of core verifier contracts can provide additional assurance that no path exists for a message to be accepted without the required evidence from the source chain.
Key and validator management needs to assume that attackers are actively trying to obtain or misuse signing authority. The Ronin, Horizon Bridge and Force Bridge incidents show that once an attacker controls enough validator keys or privileged accounts, the protocol will usually treat their transactions as legitimate.
Practical mitigations include using hardware security modules or multi-party computation wallets for key storage. Separating signing infrastructure from build and deployment systems, and enforcing strict access controls and logging on any account that can change bridge parameters, are also critical.
Upgrade pipelines benefit from predictable, reviewable processes. Timelocks on contract changes, multi-person approvals for deployments, reproducible builds and clear rollback procedures all make it harder for a single engineer or compromised system to introduce a dangerous change.
Publishing upgrade plans and governance decisions also helps external reviewers understand when risk may be elevated, such as during a migration of validator sets or a change to message formats.
Incident response planning is the final layer that connects technical design with real-world operations. Teams can define in advance who is authorized to trigger pause mechanisms, how to contact validators and major exchanges, what thresholds justify halting a bridge or chain, and how to communicate with users during an incident. Regular drills that simulate a bridge exploit or key compromise help ensure that these procedures are practical under time pressure.
For analysts and regulators, transparent post-incident reporting similar to the publications from Chainalysis, Halborn, the FBI and BNB Chain provides valuable data on how attacks actually unfold. For developers, those reports offer concrete guidance on which assumptions tend to fail in production and which operational safeguards have helped to limit losses.
Taken together, the major bridge incidents from 2020 through early 2026 suggest that losses are driven less by novel attack techniques than by a small set of recurring structural weaknesses. Protocols that centralize large pools of value, rely on complex verification logic and concentrate authority in a few keys or accounts remain especially exposed.
Cross-chain developers who design for bounded failure, invest in rigorous verification of core contracts and treat keys and operational processes as critical infrastructure can substantially reduce both the likelihood and the impact of bridge exploits. As cross-chain activity grows, the stability of this infrastructure will depend on whether those lessons are incorporated into the next generation of bridge designs.
Sources
- Chainalysis Team. "Vulnerabilities in Cross-chain Bridge Protocols Emerge as Top Security Risk." Chainalysis, 2022.
- Rob Behnke. "Explained: The CrossCurve Hack (February 2026)." Halborn, 2026.
- Rob Behnke. "Explained: The Force Bridge Hack (June 2025)." Halborn, 2025.
- Rob Behnke. "Explained: The Wormhole Hack (February 2022)." Halborn, 2022.
- Rob Behnke. "Explained: The Ronin Hack (March 2022)." Halborn, 2022.
- Chainalysis Team. "North Korea Drives Record $2 Billion Crypto Theft Year, Pushing All-Time Total to $6.75 Billion." Chainalysis, 2025.
- Federal Bureau of Investigation. "FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft." Federal Bureau of Investigation, 2023.
- BNB Chain Team. "BNB Chain Ecosystem Update." BNB Chain, 2022.
Article Credits
