In the context that the blockchain ecosystem is strongly shifting from a monoblock structure to a multi-chain and modular model, interactive protocols, also known as blockchain bridges, have become essential infrastructure. However, along with the convenience of capital movement comes serious security risks.
Bridge attacks, also known as bridge hacks, not only cause billions of dollars in losses but also shake users' trust in the security of the entire decentralized finance (DeFi) market. According to analysis from the team of experts at Tan Phat Digital, to understand what bridge hacking is and why bridges have become the top target of cybercriminals, it is necessary to peel back the technical shell from operating mechanisms to modern defense strategies being deployed in the period 2025-2026.
The nature of blockchain bridges and the definition of bridge hacking
Blockchain bridges are a protocol that allows two or more separate blockchain networks to transmit information and assets to each other. Technically, networks like Ethereum, Solana or Bitcoin operate on consensus rules and independent ledgers, making it impossible for them to communicate directly. Bridges appear to solve this problem by acting as an intermediary entity or a set of smart contracts to authenticate and execute cross-chain transfer commands.
Bridge hacking is a term used to refer to acts of intrusion, exploiting software errors or manipulating the governance mechanism of a bridge for the purpose of stealing assets being stored or circulating through that protocol. Due to the characteristics of the "lock-and-mint" mechanism, bridges often concentrate a large amount of collateral assets inside smart contracts on the original chain, creating extremely large liquidity concentration points (honeypots) that are attractive to hackers. When a vulnerability is exploited, the damage is often not limited to the amount of money lost but also entails the loss of value of the representative tokens (wrapped tokens) on the target chain.
See also: What is Cross-chain Bridge? Risks and Safe Usage (2026)
Core Operating Mechanisms and Common Bridge Models
To analyze why bridges are often attacked, it is necessary to first consider their basic operating mechanisms. Most hacks originate from disrupting one of the steps in the cross-chain asset transfer process, including: asset loading, event validation, message transmission, and execution on the destination chain.
Below are common bridging models and associated risk characteristics:
Lock-and-Mint Model: Implement an asset lock at the source chain and mint a copy (IOU) at the destination chain. The main risk lies in the deposit contract at the source chain - this is always the top attack target.
Burn-and-Mint model: Burning assets at the source chain and re-minting the original asset at the destination chain. The risk of this model lies in the accuracy of verifying proof of burn.
Liquidity Pool Model: Uses available liquidity pools at both ends for direct swaps. The biggest risk is running out of liquidity or having hackers manipulate the price in the pool.
Atomic Swaps model: Peer-to-peer swaps through time-locked contracts (HTLC). Although complex in terms of user experience, this model has higher security because it does not depend on intermediaries.
The Lock-and-Mint model is currently the most popular model but is also subject to the most attacks. Hackers often aim to steal the private keys of authenticators to forge messages, or exploit logic errors in smart contracts to mint coins without depositing actual assets.
See more: What is Interoperability? The future of Blockchain connectivity in 2026
Why are blockchain bridges often attacked
The sudden increase in cross-chain bridge hacks in recent years stems from many synergistic factors:
Huge concentration of liquidity
A successful bridge usually has a very large total value locked (TVL). For hackers, attacking a bridge is many times more profitable than attacking a single DeFi application. When a smart contract stores hundreds of millions of dollars, hackers can spend months studying every line of code to find a single loophole.
Complexity of multi-component architecture
The security of a bridge depends on the security of all the blockchains it connects, along with the oracle system and relay nodes. A small mistake in data handling between two different virtual machine environments can lead to serious logic flaws. Hackers often exploit the lack of synchronization in the finality rules of chains.
Risks from centralized governance
Many bridges are still operated by a small group of validating nodes or multisig wallets. Insecure private key management is a leading cause of major hacks. If hackers use social engineering or malware to steal enough keys, they can take full control of the bridge.
Analyzing common attack vectors in bridge hacking
According to records from Tan Phat Digital's monitoring system, bridge attacks often fall into the following categories:
Compromised Keys intrusion):Hacker steals the authenticator's private key via phishing or malware. Typical examples include Ronin, Harmony, and Orbit Chain.
Logic Errors: Attackers find ways to bypass signature checks or use fake proof authentications. The Wormhole, Nomad and Qubit hacks are clear examples of this vector.
Access Control: Taking over administrative rights to change important roles in the system (such as keeper or owner). The Poly Network case is a good example.
Oracle Manipulation:Manipulation of price data or events from off-chain data feeds, often combined with Flash Loan attacks.
Classic bridge hacks and valuable lessons
Ronin Bridge (2022) - 624 million USD:The biggest mistake is maintaining an overly centralized set of validators. Hackers only need to take control of 5/9 authentication nodes through a PDF file containing malicious code sent to employees to illegally withdraw money.
Nomad Bridge (2022) - 190 million USD: A disaster due to misconfiguration after an update, causing all incoming messages to be automatically considered valid. This created a collective "loan" when many users simply copied the hacker's transactions to withdraw money.
ByBit (2025) - 1.4 billion USD: Done through multisig wallet intrusion. Attackers have executed unusual approval commands on many networks, confirming that even large exchanges are at risk when key management is compromised by professional criminal groups.
Bridge security solutions: Practice 2025-2026
To minimize the risk of bridges being hacked and losing money, Tan Phat Digital synthesizes advanced security models being applied uses:
Zero-Knowledge Proof (ZK-Proof): Direct mathematical verification mechanism. The advantage is that the risk from third parties is completely eliminated, but the disadvantage is that the computational cost is still high.
Optimistic model: Based on complaints and penalties mechanism. The advantage is low cost and ease of deployment, however the withdrawal time is often very long (can be up to 7 days).
Light Client: Run light nodes directly on the target chain to check for evidence from the source chain. This solution brings native security from the blockchain itself but is difficult to deploy between chains with different architectures.
DONs + RMN System (Chainlink CCIP): Combines multi-authentication networks with independent Risk Management Network. This is a multi-layer defense solution from reputable entities, although it still depends partly on the provider's infrastructure.
The legal status and security of blockchain in Vietnam
Vietnam is currently in the group of countries with the largest on-chain transaction value in the world. In the period 2025-2026, the Government has taken specific steps:
Resolution No. 05/2025/NQ-CP: Allows piloting the crypto asset market within 5 years.
Circular No. 27/2025/TT-NHNN: Regulations on reporting international asset transfer transactions on 1,000 USD.
Security warning: Experts at Tan Phat Digital noted that personal wallet vulnerabilities accounted for more than 23% of losses in Vietnam, mainly due to users being tricked into sharing recovery phrases via fake bridge websites.
Risk management guide for investors
To ensure To ensure safety, Tan Phat Digital recommends users to carry out a strict due diligence process:
Check the authentication model: Prioritize trustless bridges or use cryptographic proofs (ZK, Light Client).
Governance verification: Check whether the project uses a reputable third-party multisig wallet or MPC solution. no.
Audit History: Only use bridges that have been audited by multiple independent entities and have an active bug bounty program.
Use Aggregators: Platforms like Li.Fi or MetaMask Portfolio Bridge help diversify risk risk and automatically navigates through the safest routes.
Case Study: Shocking Bridge Attacks (2021-2025)
1. Bybit (February 2025) - 1.5 billion USD This is the largest hack in crypto history. Hackers (believed to be the Lazarus group) have penetrated Bybit's Safe-based multisig wallet system. Through taking control of the signing keys, the attacker approved massive transfers (over 401,000 ETH) to various chains such as Arbitrum before dispersing.
2. Ronin Network (March 2022) - 624 million USDThe attack targeted the bridge of the game Axie Infinity. Hackers used social engineering techniques (sending PDF files containing malicious code via LinkedIn) to take control of 5 out of 9 authentication buttons. This is a typical example of the risks of centralized management.
3. Poly Network (August 2021) - 612 million USD Attackers exploited a vulnerability in the verifyHeaderAndExecuteTx function, allowing them to change the address of the "keeper" to their own address. The hacker then withdrew funds from many different chains. What's rare is that the hacker returned almost all the money later.
4. BNB Chain / BSC Token Hub (October 2022) - 600 million USD A sophisticated vulnerability in the Merkle proof authentication system (IAVL Merkle proof) allowed hackers to create fake proofs. The attacker tricked the bridge into minting an additional 2 million BNB tokens without depositing the counterpart assets.
5. Wormhole Bridge (February 2022) - $326 million Hackers exploited a bug in the verify_signatures function by injecting a fake "sysvar" account. This tricks the smart contract into believing that validators have approved the deposit order, allowing the hacker to mint 120,000 wETH on the Solana network.
6. Cetus Protocol (May 2025) - 223 million USDThe hack targeted the DEX and the bridge on the Sui network. Hackers used fake tokens (spoofed tokens) with identical names to real tokens to trick the liquidity pool's pricing algorithm, thereby draining other valuable assets.
7. Nomad Bridge (August 2022) - 190 million USDAfter an upgrade, the project accidentally set the "trusted root" value to 0x00. This error causes all incoming transactions to be considered valid by default. The incident turned into a collective "loan" when hundreds of people simply copied and pasted the hacker's transaction code to withdraw money.
8. Multichain (July 2023) - 125 million USD This is not necessarily a technical error but an administrative risk. The entire bridge private key is under the sole control of the project CEO. When he was arrested, unusual withdrawals occurred, showing the terrible danger of lack of decentralization.
9. Harmony Horizon Bridge (June 2022) - 97 million USD Similar to Ronin, hackers have gained control of the MultiSig wallet owner's account. With only 2 out of 5 signatures exposed, the attacker was able to self-approve mass transfer orders to personal wallets.
10. Orbit Chain (January 2024) - 81 million USDHackers successfully penetrated and took control of 7 out of 10 private keys of the multisig system. With a majority of votes, they easily drained the liquidity pools on this bridge.
Frequently Asked Questions (FAQs)
1. What exactly is bridge hacking? It is a criminal activity that targets blockchain bridges to steal digital currency. Hackers often take advantage of errors in the source code (smart contracts) or steal the system's private keys to withdraw money from the bridge.
2. Why are bridges attacked more often than other applications? Because bridges are the centralized "money holding" place of thousands of users as collateral. A successful attack on the bridge can bring hundreds of millions of dollars to hackers, making them the most lucrative bait in DeFi.
3. What security errors are the most common today? The most common error is unsafe private key management. When a bridge is controlled by only a small group of people (for example, a multisig model), hackers only need to hack the computers of a few members to take control of the entire bridge.
4. How did the Ronin Bridge (Axie Infinity) hack happen? Hackers used sophisticated phishing techniques to infiltrate Sky Mavis employees' computers, thereby obtaining 5 out of 9 signatures needed to approve the withdrawal order. This is a great lesson about not allowing control to be too centralized.
5. How does Zero-Knowledge (ZK) technology make bridges more secure? Instead of trusting a group of validators, ZK bridges use mathematical proofs to automatically verify transactions. If the math doesn't match, funds cannot move, eliminating the risk of hackers stealing admin keys.
6. What is special about Chainlink CCIP in security? CCIP uses a "multi-layer defense" model, most notably the Risk Management Network (RMN). RMN is written in another programming language (Rust) for independent monitoring and has the ability to emergency "circuit breaker" if abnormal transactions are detected.
7. If money is lost due to bridge hack, can I get it back? Very difficult. Due to the anonymous nature of blockchain, money once dispersed through mixers is virtually impossible to trace. However, some large projects may refund users from reserve funds or if hackers return funds to receive rewards.
8. How do you know if a bridge is safe before using it? You should check to see how many reputable companies (like Trail of Bits or OpenZeppelin) have audited the source code of the project, whether they have a Bug Bounty program, and whether their authentication model is decentralized or dependent on an individual.
9. Does Vietnam's 2025 law protect users when bridges are hacked? Currently, Vietnam is in the pilot phase (Resolution 05/2025/NQ-CP). Although there are regulations on reporting international transactions over 1,000 USD (Circular 27/2025/TT-NHNN), the legal framework protecting the ownership of crypto assets is still being finalized, making reclaiming hacked assets still challenging.
10. Why does Tan Phat Digital recommend using Bridge Aggregator? Because aggregators (Aggregators) like Li.Fi or Socket help you choose the safest route from many different bridges. If a single bridge shows signs of failure or hacking, the system will automatically redirect your funds to other reputable bridges.
Bridge hacking will still be a difficult problem in the future, but with the development of technologies such as ZK-Proofs and a clearer legal framework, the risks for users will gradually be minimized. Vigilance and solid knowledge are the best "armor" for your assets in this multi-chain era.
Bridge hacking will still be a difficult problem in the future, but with the development of technologies such as ZK-Proofs and a clearer legal framework, the risks for users will gradually be minimized. Vigilance and solid knowledge are the best "armor" for your assets in this multi-chain era.
Share
