Cross-Chain Bridges: How They Work and the Risks Explained

One of the most fundamental problems in the crypto ecosystem is that blockchains do not talk to each other natively. Bitcoin cannot interact with Ethereum. Ethereum cannot use Solana’s apps. Each blockchain is an isolated island with its own rules, tokens, and ecosystem. Cross-chain bridges exist to solve this problem — they allow users to move assets between different blockchains. But bridges have become the single most exploited component in crypto infrastructure. Over £2 billion has been stolen from bridge hacks since 2021. This article explains how cross-chain bridges work, why they are necessary, and how to use them as safely as possible.

Why Blockchains Cannot Communicate Natively

Every blockchain is a self-contained system. Ethereum has its own virtual machine, its own consensus mechanism, its own token standard (ERC-20), and its own set of validator nodes. Solana has completely different architecture: different programming model, different validator set, different token format. Bitcoin has no smart contract capability at all. These systems were built independently, with no mechanism for one to verify the state of another.

This isolation creates a practical problem. If you hold ETH on Ethereum and want to use an application that only exists on Solana, you cannot simply send your ETH there — the Solana network has no awareness of Ethereum balances. You would need to sell your ETH on a centralised exchange, buy SOL, transfer to a Solana wallet, and then use the application. This is slow, expensive (exchange fees, spread, and potentially capital gains tax events in the UK), and requires using a centralised intermediary.

Cross-chain bridges provide an alternative: a mechanism to represent your Ethereum assets on Solana (or any other chain) without selling them. In 2024, over $20 billion in assets was bridged across chains monthly, according to DeFi analytics firm DeFiLlama — demonstrating the genuine demand for cross-chain interoperability despite the associated risks.

How Cross-Chain Bridges Work

Most cross-chain bridges use one of two core mechanisms: lock-and-mint or burn-and-mint.

In a lock-and-mint bridge, you deposit your original asset (say, ETH) into a smart contract on the source chain (Ethereum). The bridge locks that ETH in the contract and mints a “wrapped” version of the asset on the destination chain — for example, Wrapped ETH (wETH) on Solana. The wrapped token represents a claim on the original locked ETH. When you want your ETH back, you return the wrapped token to the bridge, it burns it, and releases the original ETH from the lock contract. The critical point: the bridge must hold the original assets in a smart contract at all times, making that contract a high-value target for attackers.

In a burn-and-mint bridge, the original token is burned (permanently destroyed) on the source chain and a new token is minted on the destination chain. This avoids the need for a custody contract but requires tight coordination between the token issuers on both chains. Circle’s Cross-Chain Transfer Protocol (CCTP), used to move USDC between supported blockchains, uses this model — it is generally considered more secure because there is no central custody contract holding billions in assets.

The mechanism for verifying that a lock event on chain A actually occurred before minting on chain B varies between bridges. Some use a multi-signature scheme (a set of validators who collectively sign messages confirming events on both chains). Others use light clients (software that verifies the source chain’s block headers directly). Some rely on a trusted relay or oracle network. This verification mechanism is typically where bridge vulnerabilities lie.

Major Bridge Protocols

Several cross-chain bridges have become significant infrastructure in the crypto ecosystem.

Stargate Finance (built on the LayerZero protocol) is one of the largest bridge protocols by volume, supporting transfers between Ethereum, Arbitrum, Optimism, Polygon, BNB Chain, Avalanche, and other chains. LayerZero uses a decentralised oracle and relayer network to verify cross-chain messages. As of 2025, Stargate has processed over $20 billion in cumulative volume.

Wormhole connects over 30 blockchains including Ethereum, Solana, Sui, and Aptos. It uses a network of 19 guardian nodes that observe events on each connected chain and sign attestations. Wormhole was the victim of the largest single bridge hack in history — $320 million (approximately £250 million) was stolen in February 2022 when attackers exploited a bug in the Solana-side bridge contract.

Polygon Bridge is the canonical bridge for moving assets between Ethereum mainnet and the Polygon PoS chain. It is widely used because of Polygon’s popularity for lower-cost DeFi and NFT activity. The Polygon Bridge uses a checkpoint system where Polygon validators periodically submit state roots to Ethereum, providing a relatively strong security model.

Arbitrum Bridge and Optimism Gateway are the official bridges for Ethereum’s two largest Layer 2 networks. These are considered among the more secure bridges because they inherit Ethereum’s security model through fraud proofs (Arbitrum) or validity proofs (Optimism’s newer Superchain components). They have 7-day withdrawal delays for security — a deliberate design choice that most users find inconvenient but security researchers consider appropriate.

Why Bridges Are the Most Hacked Component in Crypto

Bridges concentrate enormous value in smart contracts that must interact with multiple different blockchain environments simultaneously. This creates a dramatically larger attack surface than a single-chain application. Between 2021 and 2024, bridge hacks accounted for the majority of all funds stolen from the crypto ecosystem.

The Ronin Bridge hack in March 2022 — where $625 million (approximately £490 million at the time) was stolen from the Axie Infinity ecosystem bridge — remains the largest single crypto hack in history. The Ronin Bridge used only 9 validator nodes, 5 of which were controlled by Sky Mavis (Axie Infinity’s developer). Attackers gained control of 5 nodes through a compromised employee and a backdoor in a legacy smart contract, giving them the majority needed to authorise fraudulent withdrawals. The attack was not detected for six days.

The Nomad Bridge hack in August 2022 stole $190 million through a configuration error that allowed anyone to claim funds from the bridge. Once the vulnerability was discovered and exploited publicly, hundreds of copycat attackers drained the remaining funds in a matter of hours in what became known as a “chaotic free-for-all.”

The common factors across bridge hacks: centralised validator sets (reducing the attacker’s required footprint), smart contract bugs in complex cross-chain verification logic, and the concentration of assets in a single contract. These are structural properties of most bridges, not one-off implementation errors.

How to Use Bridges More Safely

For UK crypto users who need to bridge assets, several practices reduce (but do not eliminate) risk.

Use bridges that have been audited by multiple reputable security firms. Most major bridges publish their audit reports. Bridges audited by Certik, Trail of Bits, OpenZeppelin, or Zellic have at least passed professional review. An audit does not guarantee safety — the Wormhole hack occurred despite audits — but it reduces the probability of basic errors.

Prefer battle-tested bridges with long operating histories. Newer bridges have not been stress-tested by adversaries. The Arbitrum and Optimism official bridges have operated since 2021 with no major hacks. Polygon Bridge has operated since 2021. Longer track records with high TVL (total value locked) under adversarial conditions are positive signals.

Bridge the minimum necessary amount. Do not leave large balances in bridged “wrapped” tokens for extended periods. The risk of a bridge hack is time-weighted: the longer your assets remain in the bridge’s custody structure, the longer the exposure window. Move assets, use them for your intended purpose, and bridge back.

Consider whether you actually need to bridge. Many centralised exchanges list tokens native to multiple chains. It is often possible to buy an asset directly on the destination chain from an exchange withdrawal rather than bridging. This avoids bridge risk entirely, at the cost of exchange fees and a central counterparty.

Burn-and-mint bridges are generally safer than lock-and-mint. If you need to move a stablecoin like USDC between chains, Circle’s CCTP (used by some Ethereum-to-Solana transfers) is safer than bridging through a protocol that holds locked USDC in a contract.

Bridge Risk and UK Tax Implications

For UK crypto holders, bridging assets may have tax implications. HMRC treats wrapped tokens as a new asset for capital gains tax purposes in some scenarios. If you bridge ETH and receive wETH on another chain, HMRC’s guidance on whether this constitutes a disposal (triggering CGT) is not fully settled as of 2026. The safest interpretation is to treat the bridge as a disposal and acquisition at the same price (effectively no gain) and document the transaction. Given HMRC’s increasing enforcement activity, maintaining clear records of all bridge transactions — timestamps, amounts, exchange rates — is advisable for any UK holder who bridges assets regularly.

What This Means for UK Crypto Users

Cross-chain bridges are genuinely useful infrastructure that enables the multi-chain crypto ecosystem. They are also the single most dangerous touchpoint in DeFi. The concentration of value, the complexity of cross-chain verification, and the adversarial environment mean that bridge hacks will continue to occur. For most UK retail investors, avoiding bridges altogether is the safest option — using centralised exchanges to move between chains when necessary. For more advanced users who need to bridge, choosing audited, battle-tested protocols with decentralised validator sets, and bridging the minimum necessary amount, materially reduces risk without eliminating it.

This article is for educational purposes only and does not constitute financial advice. Cryptocurrency investments involve significant risk. Always do your own research.