How to Evaluate the Security of On-Chain Cross-Chain Bridges? Analysis of Historical Theft Cases

 / 
6

Vulnerability attacks on cross-chain bridges have caused losses exceeding $4.3 billion. Cases like Ronin and Poly Network each incurred losses in the hundreds of millions. Behind this figure lies an easily overlooked reality: many vulnerabilities exploited by attackers are invisible to ordinary users on the front end. Contract permissions, signature mechanisms, and off-chain verification—if any layer has a problem, assets on the bridge can be affected. In June 2026, the cross-chain bridge between Secret Network and Axelar was attacked for seven days before being discovered, because the vulnerable contract had not been audited since early 2023. This article dissects the risk levels of cross-chain bridges and uses real cases to tell you: what to look at and how to evaluate whether a bridge is secure.

OKX Exchange
A leading global cryptocurrency platform,suitable for both beginners and experienced traders.
New user benefit: 20% off trading fees upon registration!!

Why Cross-Chain Bridges Are Particularly Targeted

The operational logic of cross-chain bridges is not essentially about "moving assets from chain A to chain B," but rather about using a verification mechanism to mint wrapped assets on the target chain or release corresponding assets from a pool.

This determines that cross-chain bridges naturally concentrate three types of high-value permissions: first, locked assets—the bridge contract holds large amounts of high-liquidity assets like USDC and ETH; second, cross-chain verification mechanisms—to confirm what happens on another chain, it must rely on validator signatures or relay systems, and the more complex the mechanism, the larger the attack surface; third, contract permissions—if the permission design is unreasonable, attackers may bypass normal processes to directly steal assets.

Academic statistics show that from 2021 to September 2024, there were 49 cross-chain bridge attacks, with losses from attacks targeting cross-chain business logic far exceeding other types. In the Rekt attack database, the top three cases by loss are all related to cross-chain bridges: Ronin Network lost $624 million, Poly Network lost $611 million, and BNB Bridge lost $586 million.

Three Core Threat Models

The security issue of cross-chain bridges is essentially a trust assumption problem. Sherlock's 2026 security report categorizes cross-chain verification mechanisms into four types, each with completely different risk profiles:

Light Client Verification Type. Verifies messages by checking the consensus or finality rules of another chain. Risks mainly come from finality mismatch—what is considered "final" on chain A may not be reliable enough from chain B's perspective. Also includes bugs in validator code and extreme cases like chain censorship or pauses.

Committee or External Verification Type. Relies on a group of signers (multisig, MPC, oracle groups) to confirm messages. The problem with this model is that the trust assumption is very "blunt"—it must assume that enough signers remain honest and uncompromised at all times. Once signing keys are leaked, attackers can forge authorizations.

Optimistic Verification Type. Accepts by default, and someone can raise a dispute within a challenge window. The risk here is that it must assume at least one honest observer is awake, has funds, and can initiate a dispute within the window. A new problem in 2026 is that delay and interference attacks can be as deadly as direct forgery—the system may be dragged into a "safe but unusable" state.

ZK Validity Verification Type. Uses succinct zero-knowledge proofs to confirm messages. Trust assumptions shift to circuit specifications—the prover must prove the correct statement, and the upgrade process must be securely governed.

Understanding these categories is important because different designs have different trust assumptions, and most vulnerabilities arise from "treating trust assumptions as technical guarantees." When assumptions are broken, other layers lack corresponding emergency mechanisms.

Patterns in Historical Cases: Vulnerabilities Often Hide in "Logic Migration" and "Verification Gaps"

In June 2026, the cross-chain bridge between Secret Network and Axelar was attacked, resulting in a loss of $4.67 million. The attack lasted for seven full days until a normal cross-chain transfer failed due to insufficient funds in the custody account, leading to its discovery. What was the root cause? When the contract changed from a custody model to a minting model, it deleted two key functions responsible for verifying the source of transfers, and since its deployment in early 2023, it had never undergone an external audit.

Such vulnerabilities where "logic is changed but verification is not" are not uncommon. Cross-chain bridge code is frequently updated, but every time business logic changes, the corresponding verification mechanisms and security boundaries need to be reassessed. More concerningly, Axelar emphasized that the exploited contract was not developed or maintained by Axelar—the bridge was another piece of infrastructure—but users often cannot distinguish.

Another pattern is that the destructive power of cross-chain attacks is usually much greater than single-chain attacks. The reason is that attacking cross-chain business logic can affect multiple chains simultaneously, while single-chain attacks typically only affect one environment.

Three Dimensions for Evaluating Security: Layers, Assumptions, and Response Capability

Sherlock's security framework provides an evaluation approach: break the cross-chain system into three layers for analysis—the consensus layer, the transport layer, and the application layer.

Consensus layer looks at the finality assumptions of the source and target chains, the ability to resist reorganization attacks, and whether validators are easily bribed. Many cross-chain attacks exploit "finality mismatch"—a state considered "final" on chain A may not be stable enough from chain B's perspective.

Transport layer examines whether the channel carrying "cross-chain messages" itself is secure: whether messages can be censored by relayers, replayed, tampered with, and whether it supports sequence numbers to prevent replay and timeout mechanisms. The IBC protocol is considered a security reference largely because it designs clear ordering and timeout semantics at the transport layer.

Application layer looks at how the target chain contract processes received messages. A common mistake is to "trust any received payload and directly update balances." The correct approach is to treat inbound messages as malicious input—strict decoding, strict permission checks, only receive messages from whitelisted source chains and source contracts, and process each message only once.

Additionally, response capability is another underestimated dimension. Security practices in 2026 have recognized that monitoring and emergency response are not just nice-to-haves but part of the core security budget. Real-time monitoring tools need to identify abnormal transaction patterns and automatically trigger circuit breakers to pause bridge activity upon detecting anomalies. At the user level, after a cross-chain transfer, you can check transaction status on both the source and target chains through a block explorer to confirm whether assets have actually been transferred.

OKX Exchange
A leading global cryptocurrency platform,suitable for both beginners and experienced traders.
New user benefit: 20% off trading fees upon registration!!

Practical Advice: What to Note When Using Cross-Chain Bridges

It is unrealistic to completely avoid cross-chain bridges, as the multi-chain ecosystem is already a daily reality. But before using one, you can do a few things: confirm the entry point is from an official channel (especially right after a security incident, fake "asset migration" phishing sites are common); check if the project has issued any abnormal announcements; test with small amounts instead of transferring large assets all at once; when authorizing, try to use "exact amount" rather than "unlimited approval."

Additionally, after a cross-chain transfer, do not assume the asset has arrived and everything is done. Use a block explorer to separately check the transaction status on both the source and target chains, confirm that the receiving contract address is indeed the official contract, and do not click on unfamiliar links just because a token with the same name suddenly appears in your wallet.