Cross-Chain Bridges: A Plain-English Guide To How They Work And When To Avoid Them

Key Takeaways

Cross-chain bridges let you move crypto between different blockchains, but they do this by locking assets on one chain and creating representations on another, which introduces unique security risks.
Bridges have been the single most targeted infrastructure in DeFi. Hundreds of millions of dollars have been lost to bridge exploits.
For many users, transferring through a centralised exchange or using a native bridge is safer and simpler than using a third-party bridge.

The Problem Bridges Are Trying to Solve

Blockchains do not natively communicate with each other. Bitcoin cannot see what is happening on Ethereum. Ethereum does not know what is on Solana. Each blockchain is its own isolated system.

This creates a fragmentation problem. If you hold ETH on Ethereum but want to use a DeFi application on Arbitrum, Polygon, or another network, you need a way to move value across chains. That is what a bridge does.

Cross-chain bridges are protocols that facilitate the transfer of tokens or data between two separate blockchains. They have become a critical piece of DeFi infrastructure, enabling users to access different ecosystems without going back through a centralised exchange every time.

The problem is that bridges have also become the most reliably exploited category of infrastructure in crypto.

How Bridges Work: The Two Main Models

There are two primary technical models for how bridges handle asset transfers. Understanding both helps you assess the risks.

Model 1: Lock-and-Mint Bridges

This is the most common bridge model. Here is how it works:

You send Token A on Chain A to a bridge smart contract. The contract locks your tokens.
The bridge observes that lock event.
The bridge mints an equivalent "wrapped" version of Token A on Chain B and sends it to your wallet.
When you want to return, you send the wrapped tokens back to the bridge on Chain B. The bridge burns them and unlocks the original tokens on Chain A.

The core risk: The locked assets on Chain A represent a concentrated pool of value. If the bridge smart contract is compromised, all locked assets can be drained at once. This is exactly what happened in several major exploits.

Model 2: Liquidity Pool Bridges

Instead of locking and minting, liquidity pool bridges maintain reserves of the actual native token on each chain.

You deposit Token A on Chain A into a liquidity pool.
The bridge sends you Token A from its existing pool on Chain B.
No wrapping happens. You receive the real, native token on the destination chain.

The core risk: The bridge relies on having sufficient liquidity on both sides. In periods of high demand for one direction, pools can become imbalanced. This model is generally considered safer than lock-and-mint because there is no single massive locked pool, but it is not risk-free.

The Bridge Exploit Record

Bridges have suffered some of the largest hacks in crypto history. The scale of losses has made bridge security one of the most discussed topics in the industry.

Bridge	Year	Amount Lost	Method
Ronin Network (Axie Infinity)	2022	~$625 million	Private key compromise
Wormhole	2022	~$320 million	Smart contract exploit
Nomad	2022	~$190 million	Logic flaw in smart contract
Harmony Horizon	2022	~$100 million	Private key compromise
Multichain	2023	~$130 million	Suspected internal compromise

These are widely reported figures from public post-mortems and blockchain analytics firms. Exact amounts vary by source due to price fluctuations at the time of the exploit.

The pattern is clear. Bridges concentrate enormous value in smart contracts or multisig wallets. A single vulnerability, whether in code or key management, can result in catastrophic loss.

Bridge TVL as a Risk Signal

Total Value Locked (TVL) in a bridge refers to the amount of assets currently held in the bridge's smart contracts. A high TVL can indicate popularity and usage, but it also indicates a larger target for attackers.

A bridge holding $500 million in locked assets has a much stronger incentive for sophisticated attackers to invest time and resources into finding vulnerabilities compared to a bridge holding $5 million.

This does not mean high-TVL bridges are necessarily less safe. Larger protocols often have more resources to spend on security. But TVL concentration is a risk factor worth being aware of, especially for newer or less established bridges.

How to Assess a Bridge Before Using It

If you need to use a bridge, the following factors are worth checking:

Audit status Has the bridge been audited by reputable security firms? Are those audit reports publicly available? Have Critical and High findings been resolved?

Age and track record How long has the bridge been operating without a major exploit? Newer bridges have less proven track records.

Decentralisation of validation Some bridges rely on a small set of validator nodes or a multisig with a small number of signers. The fewer parties needed to approve a transaction, the higher the risk from a single point of compromise.

Native bridge vs. third-party bridge Layer 2 networks like Arbitrum, Optimism, and Base have official native bridges backed by the network itself. These are generally considered more secure than third-party bridges, though they often have longer withdrawal times.

Safer Alternatives to Third-Party Bridges

For many users, a bridge is not actually necessary. Consider these alternatives first:

Alternative	How It Works	Best For
Centralised exchange transfer	Deposit on Chain A, withdraw to Chain B	Moving large amounts between major chains
Native bridge	Use the official bridge provided by the L2 network	Moving to and from major Layer 2 networks
Direct purchase on destination chain	Buy the asset directly on the target chain	Starting fresh on a new chain

Centralised exchange transfers are often the simplest option for moving between major networks. You deposit on one chain, withdraw on another. The exchange handles the complexity. The tradeoff is that you are temporarily trusting the exchange with your funds.

Native bridges provided by networks like Arbitrum One, Optimism, Base, and Polygon have their security backed by the respective network's architecture. They are typically considered more trustworthy than independent third-party bridges. The downside is that native bridge withdrawals from Layer 2 back to Ethereum mainnet can take up to seven days due to fraud-proof challenge windows.

Comparison Table: Bridge Types and Risk Levels

Bridge Type	Security Model	Speed	Risk Level	Best Use Case
Lock-and-mint (3rd party)	Smart contract + validators	Fast (minutes)	Higher	Cross-ecosystem DeFi
Liquidity pool (3rd party)	Liquidity reserves	Fast (minutes)	Moderate	Native token transfers
Native L2 bridge	Network protocol	Slower (up to 7 days for withdrawals)	Lower	Moving to/from L2 networks
CEX transfer	Centralised intermediary	Variable (minutes to hours)	Moderate (custodial)	Casual cross-chain movement

When to Avoid Bridges Entirely

There are situations where the risk of using a third-party bridge is not worth it:

When moving large amounts that would represent a significant personal loss if the bridge were exploited
When the bridge is newly launched and has limited track record or audits
When the bridge has a very high TVL relative to its security investment
When the same move can be accomplished through a CEX or native bridge with minimal extra steps

For smaller amounts and experienced DeFi users who understand the risks, bridges remain a useful tool. For beginners or those moving substantial funds, taking the slower route through a native bridge or exchange is a more conservative and often more appropriate choice.

FAQ

What is a wrapped token? A wrapped token is a representation of an asset on a blockchain other than its native chain. For example, Wrapped Bitcoin (WBTC) is an ERC-20 token on Ethereum that represents Bitcoin. It is backed by Bitcoin held in a custodial arrangement and can be redeemed for the underlying asset.
Are all bridges equally risky? No. Risk varies significantly based on the bridge's architecture, audit history, validator structure, and age. Native bridges provided by established Layer 2 networks are generally considered safer than independent third-party bridges.
How do I know if a bridge has been audited? Most reputable bridges publish their audit reports on their official website or documentation. You can also check the auditing firm's website directly. If a bridge has no published audit, that is a meaningful risk signal.
What happens if a bridge is exploited while I have funds in transit? If your funds are locked in a bridge contract during an exploit, recovery depends on the nature of the hack and whether the team behind the bridge has emergency reserves or insurance. In many historical exploits, users lost funds permanently.
Can I use a hardware wallet with bridges? Yes. You can connect hardware wallets like Ledger to browser wallets like MetaMask and use them to sign bridge transactions. This protects your keys but does not reduce the smart contract risk of the bridge itself.
What is the difference between a bridge and a DEX aggregator? A DEX aggregator finds the best swap price across multiple decentralised exchanges on the same chain. Some aggregators also include cross-chain routing. A bridge specifically handles the transfer of assets between different blockchains, which is a separate function.

Disclaimer: This content is for educational and informational purposes only and is not financial advice. Nothing here is a recommendation to buy or sell any asset or use any platform. Do your own research and manage your risk.

Need deeper training?

Join our structured modules with live examples and expert checklists for effective implementation.

JOIN THE ACADEMY

Key Takeaways

Cross-chain bridges let you move crypto between different blockchains, but they do this by locking assets on one chain and creating representations on another, which introduces unique security risks.
Bridges have been the single most targeted infrastructure in DeFi. Hundreds of millions of dollars have been lost to bridge exploits.
For many users, transferring through a centralised exchange or using a native bridge is safer and simpler than using a third-party bridge.

The Problem Bridges Are Trying to Solve

Blockchains do not natively communicate with each other. Bitcoin cannot see what is happening on Ethereum. Ethereum does not know what is on Solana. Each blockchain is its own isolated system.

The problem is that bridges have also become the most reliably exploited category of infrastructure in crypto.

How Bridges Work: The Two Main Models

There are two primary technical models for how bridges handle asset transfers. Understanding both helps you assess the risks.

Model 1: Lock-and-Mint Bridges

This is the most common bridge model. Here is how it works:

You send Token A on Chain A to a bridge smart contract. The contract locks your tokens.
The bridge observes that lock event.
The bridge mints an equivalent "wrapped" version of Token A on Chain B and sends it to your wallet.
When you want to return, you send the wrapped tokens back to the bridge on Chain B. The bridge burns them and unlocks the original tokens on Chain A.

Model 2: Liquidity Pool Bridges

Instead of locking and minting, liquidity pool bridges maintain reserves of the actual native token on each chain.

You deposit Token A on Chain A into a liquidity pool.
The bridge sends you Token A from its existing pool on Chain B.
No wrapping happens. You receive the real, native token on the destination chain.

The Bridge Exploit Record

Bridges have suffered some of the largest hacks in crypto history. The scale of losses has made bridge security one of the most discussed topics in the industry.

Bridge	Year	Amount Lost	Method
Ronin Network (Axie Infinity)	2022	~$625 million	Private key compromise
Wormhole	2022	~$320 million	Smart contract exploit
Nomad	2022	~$190 million	Logic flaw in smart contract
Harmony Horizon	2022	~$100 million	Private key compromise
Multichain	2023	~$130 million	Suspected internal compromise

These are widely reported figures from public post-mortems and blockchain analytics firms. Exact amounts vary by source due to price fluctuations at the time of the exploit.

The pattern is clear. Bridges concentrate enormous value in smart contracts or multisig wallets. A single vulnerability, whether in code or key management, can result in catastrophic loss.

Bridge TVL as a Risk Signal

How to Assess a Bridge Before Using It

If you need to use a bridge, the following factors are worth checking:

Audit status Has the bridge been audited by reputable security firms? Are those audit reports publicly available? Have Critical and High findings been resolved?

Age and track record How long has the bridge been operating without a major exploit? Newer bridges have less proven track records.

Safer Alternatives to Third-Party Bridges

For many users, a bridge is not actually necessary. Consider these alternatives first:

Alternative	How It Works	Best For
Centralised exchange transfer	Deposit on Chain A, withdraw to Chain B	Moving large amounts between major chains
Native bridge	Use the official bridge provided by the L2 network	Moving to and from major Layer 2 networks
Direct purchase on destination chain	Buy the asset directly on the target chain	Starting fresh on a new chain

Comparison Table: Bridge Types and Risk Levels

Bridge Type	Security Model	Speed	Risk Level	Best Use Case
Lock-and-mint (3rd party)	Smart contract + validators	Fast (minutes)	Higher	Cross-ecosystem DeFi
Liquidity pool (3rd party)	Liquidity reserves	Fast (minutes)	Moderate	Native token transfers
Native L2 bridge	Network protocol	Slower (up to 7 days for withdrawals)	Lower	Moving to/from L2 networks
CEX transfer	Centralised intermediary	Variable (minutes to hours)	Moderate (custodial)	Casual cross-chain movement

When to Avoid Bridges Entirely

There are situations where the risk of using a third-party bridge is not worth it:

When moving large amounts that would represent a significant personal loss if the bridge were exploited
When the bridge is newly launched and has limited track record or audits
When the bridge has a very high TVL relative to its security investment
When the same move can be accomplished through a CEX or native bridge with minimal extra steps

FAQ

What is a wrapped token? A wrapped token is a representation of an asset on a blockchain other than its native chain. For example, Wrapped Bitcoin (WBTC) is an ERC-20 token on Ethereum that represents Bitcoin. It is backed by Bitcoin held in a custodial arrangement and can be redeemed for the underlying asset.
Are all bridges equally risky? No. Risk varies significantly based on the bridge's architecture, audit history, validator structure, and age. Native bridges provided by established Layer 2 networks are generally considered safer than independent third-party bridges.
How do I know if a bridge has been audited? Most reputable bridges publish their audit reports on their official website or documentation. You can also check the auditing firm's website directly. If a bridge has no published audit, that is a meaningful risk signal.
What happens if a bridge is exploited while I have funds in transit? If your funds are locked in a bridge contract during an exploit, recovery depends on the nature of the hack and whether the team behind the bridge has emergency reserves or insurance. In many historical exploits, users lost funds permanently.
Can I use a hardware wallet with bridges? Yes. You can connect hardware wallets like Ledger to browser wallets like MetaMask and use them to sign bridge transactions. This protects your keys but does not reduce the smart contract risk of the bridge itself.
What is the difference between a bridge and a DEX aggregator? A DEX aggregator finds the best swap price across multiple decentralised exchanges on the same chain. Some aggregators also include cross-chain routing. A bridge specifically handles the transfer of assets between different blockchains, which is a separate function.

Need deeper training?

Join our structured modules with live examples and expert checklists for effective implementation.

JOIN THE ACADEMY

Key Takeaways

The Problem Bridges Are Trying to Solve

How Bridges Work: The Two Main Models

Model 1: Lock-and-Mint Bridges

Model 2: Liquidity Pool Bridges

The Bridge Exploit Record

Bridge TVL as a Risk Signal

How to Assess a Bridge Before Using It

Safer Alternatives to Third-Party Bridges

Comparison Table: Bridge Types and Risk Levels

When to Avoid Bridges Entirely

FAQ

More Read

Need deeper training?

Get a $100K funded account

Share Transmission

The Ultimate Trading Bot

Continue Learning

DeFi Risk Management 101: How to Protect Your Portfolio From Protocol Failures

How to Read a Smart Contract Audit Report (Without Being a Developer)

How Lazarus Group Stole $285M from Drift Protocol Using a 6-Month Social Engineering Campaign

Key Takeaways

The Problem Bridges Are Trying to Solve

How Bridges Work: The Two Main Models

Model 1: Lock-and-Mint Bridges

Model 2: Liquidity Pool Bridges

The Bridge Exploit Record

Bridge TVL as a Risk Signal

How to Assess a Bridge Before Using It

Safer Alternatives to Third-Party Bridges

Comparison Table: Bridge Types and Risk Levels

When to Avoid Bridges Entirely

FAQ

More Read

Need deeper training?

Get a $100K funded account

Share Transmission

The Ultimate Trading Bot

Continue Learning

DeFi Risk Management 101: How to Protect Your Portfolio From Protocol Failures

How to Read a Smart Contract Audit Report (Without Being a Developer)

How Lazarus Group Stole $285M from Drift Protocol Using a 6-Month Social Engineering Campaign