What is a bridge?

A bridge is a system that lets assets or messages move from one blockchain to another. Because each chain is a separate state machine with no native awareness of the others, moving a token from Ethereum to Arbitrum or from Ethereum to Solana requires extra machinery — and that machinery is, historically, the most frequently exploited component in all of crypto.

Lock-and-mint

The most common bridge pattern is lock-and-mint. The user deposits an asset on chain A into a bridge contract, which locks it. An off-chain component — a set of validators, a multisig, an oracle network — observes the deposit and authorizes the bridge contract on chain B to mint an equivalent wrapped token to the user's address. When the user wants to go back, they burn the wrapped token on B and the bridge releases the original on A.

Wrapped Bitcoin on Ethereum (WBTC) is a familiar example, though WBTC is centralized: BitGo holds the Bitcoin and mints the ERC-20. Decentralized bridges use a distributed set of signers instead of one custodian. LayerZero, Wormhole, Axelar, and the Cosmos IBC protocol all implement variants of this pattern with different security assumptions.

The key question with any bridge is: who has to be honest for the wrapped asset to remain backed? If ten multisig signers can collectively mint unlimited wrapped ETH, then the security of the bridge is the security of those ten signers. That is a weaker trust model than Ethereum itself.

Canonical vs. third-party bridges

Rollups complicate the picture. Every major rollup (Arbitrum, Optimism, Base, zkSync, StarkNet, Scroll) has a canonical bridge run by the protocol itself. Funds deposited through the canonical bridge are secured by the rollup's proof system (optimistic or zero-knowledge, see the rollup explainer). Withdrawing back to Ethereum goes through the same proof system, which is why withdrawals from optimistic rollups take seven days — that is the challenge window.

Third-party bridges exist alongside the canonical ones and are usually faster but less secure. A third-party bridge might let the user withdraw from Arbitrum to Ethereum in minutes by advancing them mainnet funds against their pending rollup withdrawal. The third party takes the withdrawal-timing risk. The user pays a fee for the speed.

For assets users plan to hold for more than a week, the canonical bridge is almost always the right answer. For short-term trading, third-party bridges are a reasonable trade.

Messaging, not just assets

Modern bridges move more than tokens. They move arbitrary messages — calls from a contract on one chain to a contract on another. LayerZero's omnichain messaging, Wormhole's Generic Message Passing, and Axelar's General Message Passing let an Ethereum contract trigger an action on Solana or Arbitrum and vice versa.

This opens up cross-chain applications: a lending protocol on one chain that pulls collateral from another, a governance system that spans multiple deployments, a user experience that abstracts away which chain the user is on. It also multiplies the trust assumptions, because the receiving chain's contract is acting on the bridge's word that a message really happened on the other side.

Bridges are where crypto gets hacked

Bridges hold enormous amounts of locked collateral with relatively small security teams and complex cross-chain logic. That combination has been catastrophic.

Ronin, the bridge for Axie Infinity, lost 620 million dollars in March 2022 when attackers compromised five of nine validator keys. Wormhole lost 326 million dollars in February 2022 after a signature-verification bug was exploited. Nomad lost 190 million dollars in August 2022 after a configuration mistake let anyone spoof any message. Poly Network lost 611 million dollars in 2021, though nearly all of it was returned. Multichain collapsed in 2023 after its CEO disappeared and the bridge was effectively drained.

These are not obscure incidents. They are most of the largest hacks in crypto history. The pattern is consistent: bridges accumulate TVL, concentrate trust in a small validator set or multisig, and become single points of failure. Anyone using a bridge is making a bet on the security of that specific bridge's setup.

The new generation

Newer designs try to reduce trust. Intent-based bridges (Across, Everclear) let solvers front the user their funds on the destination chain and then compete to reclaim them on the origin. ZK bridges (Polyhedra, Succinct) prove the source chain's state cryptographically on the destination chain, shrinking the trust assumption to the correctness of a proof. IBC, the Cosmos interoperability protocol, uses light-client verification between chains, which is more secure than multisigs but requires the chains to maintain compatible consensus proofs.

None of these are final. Bridging remains an open problem, and the "right" design depends on what assets are moving, how fast, and how much the user is willing to pay for finality.

Why it matters

Most of the user experience of multi-chain crypto depends on bridges. Most of the risk does too. Understanding that a bridge is usually the weakest link in a cross-chain position — weaker than Ethereum, weaker than the rollup, weaker than the protocol being used — is the habit that keeps a portfolio from getting drained in a bridge exploit. When in doubt, prefer canonical bridges, keep bridged positions small, and do not let wrapped tokens sit longer than they need to.