In the early days of Web3, users could exist comfortably on a single blockchain. But as the ecosystem matured, the need to interact across multiple chains became essential. This need gave rise to cross chain bridges and smart contracts that enable the transfer of tokens from one blockchain to another.
The idea is simple: lock an asset on Chain A, mint a wrapped version on Chain B, and reverse the process when the user wants to redeem the original asset. But the execution? Not so simple. Bridges have become one of the largest honeypots in DeFi, and attackers have repeatedly proven that theoretical security falls apart when not implemented properly. Let’s break down some of the most significant cross, chain bridge failures.
1. Poly Network – Unsafe External Call
In August 2021, the Poly Network was exploited for $611 million. The root cause? A privileged contract, EthCrossChainManager, allowed arbitrary external calls. It accepted user controlled _toContract addresses and _methodbytes, letting the attacker manipulate the call to another privileged contract – EthCrossChainData. The attacker successfully bypassed ownership checks and drained funds using crafted calldata.
This hack highlighted the danger of granting too much trust to a single contract without enforcing strict call validation and access control.
2. Ronin & Harmony – Key Mismanagement
Bridges often rely on multisigs for operations. But when keys are poorly protected, the whole system crumbles.
Ronin Network ($624M): The bridge used a 9, validator setup, with only 5 signatures needed to approve a transaction. An attacker breached Sky Mavis (the team behind Axie Infinity), got access to 5 validators, and withdrew 173K ETH and 25M USDC. The result? The largest DeFi hack to date.
Harmony Bridge ($100M): Harmony used a 2, of, 5 multisig setup. The private keys, likely stored as hot wallets or in plaintext, were compromised. The attacker used these to sign malicious withdrawals and bridge the funds to Ethereum, Tornado Cash, and other chains.
3. BNB Bridge – Cryptographic Proof Forgery
BNB Bridge suffered a $586M loss due to a vulnerability in its cryptographic proof validation. The attacker crafted a fake IAVL tree proof for a legitimate block (110217401), forging a root hash that passed validation.
The bridge processed just two malicious messages, enough for the attacker to mint 2 million BNB. The hacker then deposited it to Venus Protocol as collateral, borrowed stablecoins, and spread the funds across multiple chains. Binance had to halt the chain for 8 hours to mitigate further damage.
4. Wormhole – Signature Verification Bypass
In February 2022, Wormhole lost $326M in ETH due to a flawed signature verification process. The verify_signatures function delegated checks to Solana’s secp256k1 precompile. But due to a wrong program version, no real check occurred. The attacker exploited this by crafting fake VAA (Verified Action Approval) messages and minting 120K ETH from thin air.
This breach shows how critical it is to ensure dependencies (like cryptographic programs) are correctly integrated and versioned.
5. Nomad Bridge – Initialization Oversight
Nomad Bridge was drained of $190M due to a misconfigured Replica contract. After an upgrade, the contract accepted a zero address as a trusted root. This allowed any message to be considered valid. Attackers (and random users who copied the exploit) called the process function without proof, draining funds.
The first attacker even failed the first try and lost $350K in gas fees—but succeeded on the second attempt. The chaotic nature of the hack led to crowd looting, where opportunistic users joined in.
6. Qubit Finance – Non, Reverting Transfers
Qubit’s QBridge lost $80M because a call to safeTransferFrom did not revert when tokenAddress was zero. Attackers deposited zero ETH but were still credited with value. They repeated this to mint fake assets and bridge them out.
The lesson here? Never assume that failed token transfers will always revert, especially when dealing with native tokens.
Lessons Learned
From custom calldata manipulation to key mismanagement and cryptographic oversights, these hacks reflect a recurring theme: complexity introduces risk. Here are the key takeaways:
- Do not over trust privileged contracts. Always validate input, access, and destination calls.
- Multisigs are not silver bullets. Secure key management is essential, especially when hot wallets or centralized entities control keys.
- Cryptographic primitives must be implemented and verified rigorously. A single mishandled proof or version mismatch can lead to catastrophic failures.
- Initialization matters. Uninitialized or poorly upgraded contracts can unintentionally accept invalid data.
- Native token handling should be double checked. Missing call success checks is a silent killer.
Bridges are essential for a multi, chain future, but they also represent the hardest problems in Web3 security. As long as their implementations remain complex and their security assumptions fragile, bridges will continue to be a primary target for hackers.
Conclusion
Cross-chain bridges were designed to enable a seamless multi-chain experience, but their complexity has made them some of the most vulnerable components in Web3 infrastructure. While the theoretical models behind these systems promise secure and efficient interoperability, the real-world implementations often fall short due to oversights in access control, cryptographic validation, and operational security.
From misconfigured contracts and forged proofs to compromised multisig keys and overlooked initialization bugs, attackers have exploited even the smallest gaps—turning them into multimillion-dollar exploits. These incidents are not just technical failures; they’re a stark reminder that in decentralized systems, the margin for error is incredibly thin.
