Logo Distributed Networks Institute

Bridge Exploits

Cross-chain bridges have been responsible for some of the largest losses in crypto infrastructure. Incidents such as Ronin ($625 million), Wormhole ($325 million), and Nomad ($190 million) show how attackers can exploit validator trust, signature verification logic, or upgrade mistakes to drain assets that are supposed to be locked on one chain and represented on another.

The Mechanism of Bridge Attacks

Bridges typically lock assets on a source chain and mint a wrapped or synthetic representation on a destination chain. The attack surface sits in the authorization path that decides whether a withdrawal or mint request is valid.

  • Validator compromise: Many bridges rely on a validator or multisig set. If an attacker compromises enough validator keys, as happened in Ronin, they can approve fraudulent withdrawals.
  • Signature verification bugs: Bridges that verify proofs or signatures on-chain can fail catastrophically if a contract trusts the wrong syscall, program, or proof format, as seen in Wormhole.
  • Initialization and upgrade flaws: A bad default value or broken upgrade path can disable authentication entirely, which is what made Nomad so easy to copycat.

Case Studies

1. Ronin Network ($625M) - Validator Key Compromise

  • Vector: Ronin lost control of 5 of 9 validator approvals after the attacker compromised validator infrastructure tied to Sky Mavis and the Axie DAO allowlist path, enabling fraudulent bridge withdrawals, as documented in the repo’s Ronin incident page.
  • Impact: The attacker withdrew approximately 173,600 ETH and 25.5 million USDC, for an estimated loss of $625 million.
  • Lesson: A bridge secured by a small, operationally centralized validator set inherits the security of that team’s internal access controls.

2. Wormhole ($325M) - Signature Verification Failure

  • Vector: Wormhole’s Solana-side verification path accepted a spoofed sysvar / verification context, allowing the attacker to bypass signature validation and mint unbacked assets, according to the repo’s Wormhole incident write-up.
  • Impact: The attacker minted 120,000 wETH and redeemed enough of it to create an estimated loss of $325 million.
  • Lesson: Cross-chain verification code is security-critical infrastructure; contracts must validate not just a signature-like event, but the trusted source and context that produced it.

3. Nomad Bridge ($190M) - Initialization Flaw

  • Vector: A Nomad upgrade initialized the trusted root to 0x00, which meant crafted messages could be treated as valid without real authentication, as summarized in the repo’s Nomad incident page.
  • Impact: The flaw triggered a copycat “crowd-looting” event that drained more than $190 million, with later partial returns by white hats.
  • Lesson: Upgrade parameters and default values deserve the same scrutiny as core bridge logic; one bad initialization can collapse message authentication for everyone.

Mitigations

  • Harden validator operations: Use better key isolation, limit implicit trust paths, and avoid small validator sets that can be socially or operationally compromised.
  • Audit verification code as core logic: Signature and proof validation should receive the same review depth as custody logic, especially on non-EVM bridge components.
  • Stage upgrades defensively: Require peer review, invariant checks, and rollback procedures for bridge upgrades and initialization changes.
  • Rate-limit and circuit-break withdrawals: Bridges should be able to pause or slow abnormal outflows before a bug escalates into a full treasury drain.