What Are Cross-Chain Bridges? How Crypto Bridges Work Between Blockchains
Wormhole lost $320 million in February 2022. Somebody found a bug in its Solana smart contract, forged a signature, minted 120,000 wETH out of thin air. Gone. A month later, Ronin Bridge went down for $625 million. Hackers got hold of five out of nine validator keys. Social engineering, not some genius cryptographic break. Then Nomad lost $190 million because a routine code upgrade accidentally told the smart contract that every single transaction proof was valid. People on crypto Twitter literally copied the exploit transaction, changed the recipient address to their own, and clicked submit. It became a public looting.
Over a billion dollars from three protocols in twelve months. You'd expect the market to abandon bridge infrastructure after that.
It didn't. TVL across bridges climbed to $55 billion by 2025. Portal, Wormhole's rebranded protocol (the very same one from the $320M hack), rebuilt itself and now sits at $3.5 billion in TVL. Money keeps flowing because bridges matter. Blockchains can't talk to each other natively, and people want their assets on whichever chain has the best yield, the cheapest gas, or the game they're playing. Cross-chain bridges enable that movement across different blockchain ecosystems.
I've been covering bridge protocols for three years. The most common question I still get from people new to crypto: "why can't I just send my ETH to Solana?" This article covers how a cross-chain bridge works and why the answers matter.
Why cross-chain bridges exist: the interoperability problem
Blockchains don't talk to each other. That's the core issue. Ethereum has no idea what's happening on Solana. Solana has no concept of Bitcoin's UTXO model. Arbitrum and Polygon are both Ethereum L2s and still can't verify each other's state directly. Different consensus, different virtual machines, different everything. An ETH sitting in your Ethereum wallet is a completely different object from an ETH on Arbitrum, even though humans think of them as the same thing.
Now multiply that isolation by the thirty-something active chains running today, each with DeFi protocols, NFT markets, and user bases that don't overlap. You've got $10,000 in USDC on Ethereum but the best lending rate is on Avalanche. You minted an NFT on Polygon but the buyers are on Ethereum. Your game runs on Immutable X but your wallet is funded on Arbitrum. Without bridges, your only option is selling on one chain and rebuying on another through a centralized exchange. Slow, expensive, and you're trusting a CEX to hold your funds during the process.
Cross chain bridges exist to fix this. They're decentralized application protocols that enable the transfer of assets and data from one blockchain network to another. Ferries between different blockchain islands that can't build airports to each other. Bridges allow assets to flow where they're needed. The ferry isn't perfect and sometimes it sinks (see: every bridge hack above), but the alternative is swimming.
How cross-chain bridges work: the mechanics
Here's the thing that confuses people: you can't actually "move" a token from Chain A to Chain B. The chains don't share a database. What a bridge does instead is lock your token on one side and create a copy on the other. Or burn it on one side and mint it on the other. Or match you with someone who already has what you need on the other side.
Three main models, and they each have tradeoffs.
Lock and mint. The original and most common approach. You send your tokens to a smart contract on the source chain. The bridge locks them there. On the destination chain, the bridge mints an equivalent number of "wrapped" tokens. Your 1 ETH on Ethereum becomes 1 wETH on Avalanche. When you want to go back, you burn the wrapped tokens and the bridge unlocks your original ETH. This is how Wormhole's Portal works and how Wrapped Bitcoin (wBTC) gets Bitcoin onto Ethereum.
Burn and mint. Similar idea, different mechanics. Instead of locking tokens, the bridge burns them on the source chain (destroys them permanently) and mints new native tokens on the destination chain. Circle's Cross-Chain Transfer Protocol (CCTP) uses this for USDC. The USDC burned on Ethereum is real USDC destroyed, and the USDC minted on Arbitrum is real USDC created. No wrapped assets, no IOUs. This works because Circle controls USDC issuance on both chains.
Liquidity pool bridges. No locking or burning at all. Instead, the bridge maintains pools of native tokens on multiple chains. You deposit USDC on Ethereum into the pool, and withdraw USDC from the Avalanche pool. Stargate (built on LayerZero) pioneered this model. The advantage: you always get native assets, not wrapped versions. The disadvantage: the bridge needs deep liquidity on every chain, and that liquidity has to come from somewhere.
A newer model called intent-based bridging has been gaining traction. Across Protocol is the main example. Instead of defining how the transfer should happen, you tell the bridge what you want: "I want 1,000 USDC on Arbitrum." A network of competitive relayers fills your order from their own capital, and gets reimbursed later through a settlement layer. Across reports median fill times of 2 seconds. The user doesn't care about lock/mint mechanics. They just get their tokens fast.
| Bridge type | How it works | Example | Tradeoff |
|---|---|---|---|
| Lock and mint | Lock on source, mint wrapped token on destination | Wormhole Portal, wBTC | Wrapped assets carry trust assumptions |
| Burn and mint | Burn on source, mint native on destination | Circle CCTP | Only works for assets with unified issuers |
| Liquidity pools | Deposit into pool on source, withdraw from pool on destination | Stargate (LayerZero) | Requires deep pre-funded liquidity |
| Intent-based | User states desired outcome, relayer fills it | Across Protocol | Newer, less battle-tested |
Types of cross-chain bridges: trusted vs trustless
The transfer mechanism is one half. The other half is how the bridge verifies that the cross-chain transaction is real.
Trusted bridges use a small validator set or a single company. Binance Bridge: Binance the company does the verifying. Ronin had nine validators. Five keys compromised and the whole thing fell over. Fast to build, easy to operate, catastrophic when they fail.
Trustless bridges try to verify without trusting anyone. On-chain light clients, zero-knowledge proofs, optimistic verification. The idea: prove that a transaction on Chain A actually happened by checking the math, not by asking a validator to vouch for it. NEAR's Rainbow Bridge does this with light clients. These are slower and more expensive to run. But nobody's keys can be stolen because there are no keys to steal.
Federated bridges split the difference. Axelar has 75+ proof-of-stake validators. Chainlink CCIP uses its oracle network plus a separate Risk Management Network as a circuit breaker. Not one company, not fully decentralized either. A middle ground that most serious money is moving toward.
Almost everything running in production today is somewhere on the spectrum between trusted and trustless. Pure trustlessness is technically possible but costs more and runs slower. Pure trust is cheap and fast and breaks spectacularly when it breaks. The market has been drifting toward federated models with slashable stakes and layered security, which feels like the pragmatic answer even if it's not the ideologically pure one.
The hack history: why bridges are crypto's biggest targets
Why do hackers love bridges? Because bridges hold enormous piles of locked tokens in smart contracts. It's like robbing a bank vault except the vault is code and the guards are validator keys. Since 2020, bridge exploits account for $2.5 billion+ in stolen crypto. That's roughly half of all DeFi losses during that stretch. In 2022 specifically, bridge hacks were 69% of total DeFi exploit losses.
| Incident | Date | Amount lost | What went wrong |
|---|---|---|---|
| Poly Network | August 2021 | $611 million | Flawed smart contract privileges (funds returned by white hat) |
| Wormhole | February 2022 | $320 million | Forged Solana signatures, vulnerability discovered but patch not deployed |
| Ronin Bridge | March 2022 | $625 million | 5 of 9 validator keys compromised via social engineering |
| Harmony Horizon | June 2022 | $100 million | 2 of 5 multisig keys stolen |
| Nomad | August 2022 | $190 million | Upgrade bug made every transaction appear valid to the contract |
What's the common thread? Small key sets. Ronin needed 5 keys. Harmony needed 2. That's not a crypto mystery. That's a bad security choice that got exploited by people who are very good at social engineering. The Nomad hack was even dumber: a code upgrade literally turned off the verification step.
After 2022 burned this hard, bridge security got a lot more serious. Slashable validator stakes, time-locked upgrades, bug bounties that actually pay real money, multiple independent audits, proof of reserves. Chainlink's CCIP added a dedicated Risk Management Network that can freeze transfers if something looks wrong. Things are better. They're not perfect. Bridges concentrate value in smart contracts and that will always attract people who want to take it.
Major bridges in 2025: who's running the infrastructure
The market has consolidated. A handful of protocols handle most of the volume and everyone else fights over scraps.
Portal (formerly Wormhole) is the biggest. Around $3.5 billion in TVL, 60+ chains connected, fees around $0.0001 per transfer. After the 2022 hack they rebuilt from scratch with extra security layers and haven't had a major incident since. Whether that's because the security is better or because they haven't been targeted again, nobody knows for certain.
Stargate runs on LayerZero's messaging layer. $370 million TVL. The main selling point: you get native assets instead of wrapped tokens. Their unified liquidity pool model means a USDC bridge from Ethereum to Arbitrum gives you real USDC, not some wrapped receipt.
Axelar ($320 million TVL) built their whole product around general message passing. Not just moving tokens but letting smart contracts on different chains call each other. 75+ proof-of-stake validators. Developers building multi-chain apps tend to like it.
Across ($98 million TVL) is the intent-based newcomer. You say "I want 1,000 USDC on Arbitrum" and a network of relayers races to fill your order. Median fill time: 2 seconds. They co-authored ERC-7683 with Uniswap, which is becoming a standard for how cross-chain intents get expressed. 50+ protocols support it now.
Chainlink CCIP sits in its own category. Not a bridge you'd use to move your personal tokens. More of an infrastructure standard for protocols that need cross-chain messaging baked into their architecture. The Risk Management Network layered on top is what differentiates it from other approaches.
Use cases of cross-chain bridges beyond token transfers
Bridges started as token ferries. Now they do a lot more.
Cross-chain DeFi is the obvious one. You hold ETH on mainnet, bridge it to Arbitrum for cheaper gas, use a lending protocol there, bridge returns back. Multi-chain strategies were impossible three years ago. Now they're routine.
NFTs can cross chains too. Portal moves NFTs between networks. The general message passing layer can carry any data, not just balances. That opens up cross-chain NFT marketplaces and cross-chain gaming inventories.
DAOs running on multiple chains use bridges for governance. A vote on Ethereum triggers execution on Polygon. Treasury operations sync across chains. This is niche right now but growing as more DAOs go multi-chain.
Stablecoins might end up being the highest-volume bridge use case long term. Circle built CCTP specifically for cross-chain USDC. A business collecting USDC payments on Solana can settle on Ethereum without wrapped assets. Clean, native, auditable. As stablecoin payments grow (and they're growing fast), this becomes critical infrastructure.
Risks of cross-chain bridges for users
Even after the post-2022 security upgrades, using a bridge carries specific risks you should understand.
Smart contract bugs are inherent to any protocol that runs on code. Bridges are especially complex because they interact with multiple chains, each with their own quirks. An audit on one chain doesn't cover the full cross-chain interaction.
Wrapped asset risk. If you hold wETH on Avalanche and the Wormhole bridge gets drained, your wETH might become unbacked. It still exists as a token, but there's no ETH locked on Ethereum behind it anymore. You'd be holding a receipt for goods that no longer exist.
Validator compromise. Even on bridges with 75+ validators, a coordinated attack on enough of them could theoretically drain the protocol. The more validators, the harder this becomes, but "harder" isn't "impossible."
Regulatory risk is emerging. As bridges move larger volumes, regulators are paying attention. Cross-chain transfers can complicate AML compliance because funds move between jurisdictions and blockchain environments. The OECD's CARF framework, rolling out through 2026-2027, will likely affect how bridge protocols handle reporting.
For users, the practical advice is simple: don't bridge more than you're willing to lose. Use bridges with long operational histories, multiple audits, and active bug bounties. Check if the bridge protocol has been hacked before and what they did about it. And whenever possible, use native bridges or official L2 bridges (like Arbitrum's native bridge) rather than third-party solutions.
