Bridge Safety Guide
Cross-chain bridges have lost over $2.5 billion to exploits since 2021. This guide teaches you how bridges work, what can go wrong, and the exact steps to protect your assets when moving them between blockchains.
What is Bridging?
Bridging is the process of moving crypto assets from one blockchain to another. Because blockchains are isolated by design, bridges act as intermediaries that verify and relay transactions across networks. There are several fundamentally different approaches, each with distinct trade-offs.
Assets are locked in a smart contract on the source chain while equivalent wrapped tokens are minted on the destination chain. When you bridge back, the wrapped tokens are burned and originals unlocked.
Example
Wrapped Bitcoin (WBTC) uses this model — BTC is locked with a custodian while WBTC is minted on Ethereum.
Key Risk
If the lock contract is exploited, attackers can drain the locked collateral, leaving wrapped tokens unbacked.
Tokens are permanently burned on the source chain, and an equivalent amount is minted natively on the destination chain. No locked reserves exist.
Example
Circle's Cross-Chain Transfer Protocol (CCTP) burns USDC on the source chain and mints native USDC on the destination.
Key Risk
Relies on the mint authority being secure. If the minting key is compromised, unlimited tokens can be created.
Trusted bridges rely on a centralized group of validators or a multi-sig wallet to verify transactions. Trustless bridges use cryptographic proofs, light clients, or optimistic verification to remove human trust assumptions.
Example
Multichain used a trusted multi-sig model; IBC (Cosmos) uses light-client verification for trustless bridging.
Key Risk
Trusted bridges have a single point of failure — compromise the validators and you compromise the bridge.
Common Bridge Risks
Understanding how bridges have been exploited in the past is the best way to evaluate the risk of using them today. These are the five most common attack vectors, illustrated with real-world incidents.
Vulnerabilities in bridge smart contracts are the most common attack vector. A single bug in verification logic can let attackers fabricate proofs or drain locked funds.
Wormhole — $325M (Feb 2022)
An attacker exploited a signature verification vulnerability on Solana's side of the Wormhole bridge, minting 120,000 wETH without depositing any collateral on Ethereum.
Bridges secured by multi-sig wallets or validator sets are only as strong as the key management of those signers. Compromising enough keys gives full control.
Ronin Bridge — $624M (Mar 2022)
North Korean hackers (Lazarus Group) compromised 5 of 9 validator keys for the Ronin bridge used by Axie Infinity, authorizing fraudulent withdrawals of 173,600 ETH and 25.5M USDC.
Flaws in how a bridge verifies cross-chain messages can allow anyone to submit fraudulent proofs that the bridge accepts as legitimate.
Nomad — $190M (Aug 2022)
A routine upgrade introduced a bug that made every message valid by default. Once one attacker found it, hundreds of copycats drained the bridge in a chaotic free-for-all.
Attackers can manipulate governance votes or exploit timelocks to push malicious upgrades to bridge contracts, potentially changing the verification logic.
Multichain — $130M+ (Jul 2023)
Multichain's CEO held sole control of server infrastructure. When he was detained by Chinese authorities, $130M+ was moved from bridge contracts — funds that were never recovered.
Scammers create pixel-perfect clones of popular bridge interfaces and promote them through search ads, Discord messages, and social media. Users approve malicious contracts that drain their wallets.
Ongoing phishing campaigns
Google and X (Twitter) ads frequently link to fake bridge sites. In 2023, multiple bridge phishing campaigns drained an estimated $50M+ across thousands of individual victims.
Pre-Bridge Checklist
Run through every item on this checklist before you approve a bridge transaction. Skipping even one step has led to irreversible losses for experienced users.
Verify the bridge URL manually — type it or use a bookmark, never click links from Discord, Telegram, or search ads
Check the bridge's audit history on their official docs page and cross-reference with the auditing firm's website
Confirm the bridge supports your specific token — bridging unsupported tokens can result in permanent loss
Start with a small test transaction (under $50) before bridging significant amounts
Verify gas fees on both source and destination chains — ensure you have native tokens for gas on the receiving end
Check the bridge's current TVL and recent transaction volume on DefiLlama — declining TVL can signal problems
Look for recent security incidents or team controversies on Rekt News and crypto Twitter
Ensure your wallet is connected to the correct network before approving any transactions
Recommended Bridges
No bridge is risk-free, but these five have strong track records, professional audits, and active development teams. Always verify you are on the correct URL before connecting.
Fastest settlement times with competitive fees. Uses an optimistic oracle model backed by UMA.
Type
Intent-based (optimistic)
Supported Chains
Native asset bridging with unified liquidity pools. No wrapped tokens — you receive native assets.
Type
Liquidity pool (LayerZero)
Supported Chains
Widest chain support including non-EVM chains. Rebuilt security model after 2022 exploit with $2.5B+ bug bounty.
Type
Guardian network (multi-sig)
Supported Chains
Protocol-level messaging layer used by 35,000+ contracts. Powers cross-chain tokens (OFT standard).
Type
Omnichain messaging protocol
Supported Chains
Specialises in L2-to-L2 transfers with fast finality. Proven track record since 2021 with zero exploits.
Type
Liquidity network (Bonder model)
Supported Chains
Post-Bridge Verification
Your bridge transaction confirmed — but you are not done yet. Follow these four steps to verify everything arrived correctly and close any loose ends.
Verify on Destination Explorer
Open the block explorer for the destination chain (Arbiscan, Optimistic Etherscan, etc.) and confirm the tokens appear at your address. Do not rely solely on your wallet UI.
Check Token Contract Address
Verify the received token's contract address matches the canonical address listed on CoinGecko or the project's official docs. Scam tokens may appear with the same name but a different contract.
Revoke Unlimited Approvals
Use Revoke.cash or the built-in approval manager in your wallet to revoke any unlimited token approvals you granted during bridging. Leftover approvals are an attack surface.
Document the Transaction
Save the transaction hashes for both the source and destination chains. You will need these for tax reporting, dispute resolution, or if the bridge has a delayed finality issue.
Anti-Phishing Tips
Bridge phishing is one of the most financially damaging scam categories because users are already prepared to approve large token transfers. These tips are specific to bridge-related phishing attacks.
Bookmark Official Bridge URLs
Save the official URL for every bridge you use. Always navigate via your bookmarks — never trust search engine results, as scammers buy top ad placements for fake bridge sites.
Verify the Domain Certificate
Click the padlock icon in your browser and verify the SSL certificate belongs to the correct organization. Phishing sites use look-alike domains (e.g., across-bridge.io instead of across.to).
Never Connect Wallet from Links
If someone shares a bridge link in Discord, Telegram, or Twitter DMs, do not click it. Even "helpful" community members may be phishing. Always navigate to the bridge yourself.
Inspect Transaction Details Before Signing
Before approving any bridge transaction, carefully read what your wallet is asking you to sign. Legitimate bridges will not ask for unlimited token approvals or request you to sign arbitrary messages.
Use a Dedicated Bridge Wallet
Consider using a separate wallet with limited funds specifically for bridging operations. If a phishing site compromises this wallet, your main holdings remain safe.
Cross-Check on Bridge Aggregators
Use aggregators like Li.Fi, Socket, or Jumper to compare bridge routes. These platforms vet the bridges they integrate, adding an extra layer of verification before you interact directly.
Related Resources
Security Checklist
Complete personal security audit for your crypto setup.
Bridges & Cross-Chain
Deep-dive into how cross-chain bridging technology works.
Scam Center
Identify and avoid every type of crypto scam.
Tools & Resources
Curated, honestly reviewed crypto tools and platforms.