Why Bridges Matter

Blockchains are isolated by design. Your ETH on Ethereum can’t directly interact with Solana. Bridges connect these islands.

Without bridge: ETH ←✕→ SOL (no connection)
With bridge:    ETH ←→ Wrapped ETH on Solana

But bridges are also the biggest source of hacks in crypto-over $2B stolen in 2022 alone.

---

What You’ll Learn

By the end of this lesson, you’ll understand:

1. How bridges work - Lock, mint, burn, unlock
2. Security models - Trusted, trustless, optimistic
3. Attack vectors - How bridges get hacked
4. Risk assessment - Choosing safer bridges

---

The Foundation: Lock and Mint

The basic bridge mechanism:

To go back:

The bridge holds real ETH; you hold a “wrapped” representation on the destination chain.

---

The “Aha!” Moment

Here’s the key insight about bridge security:

Every bridge is only as secure as its weakest validator set. If the bridge is secured by 5 validators and 3 collude (or get hacked), they can mint unlimited wrapped tokens and steal all locked funds. This is exactly what happened to Ronin ($600M) and Wormhole ($320M).

The question is always: Who validates, and how many need to collude to steal?

---

Bridge Security Models

1. Trusted (Centralized)

Security: Single org or small multisig
Examples: Binance Bridge, centralized exchanges
Risk: One company can freeze/steal funds

2. Federated (Multi-party)

Security: N-of-M multisig (e.g., 5-of-9)
Examples: Wormhole, Multichain
Risk: If M/2+1 validators collude → funds stolen

3. Light Client / Trustless

Security: Cryptographic proofs verified on-chain
Examples: IBC (Cosmos), Succinct bridges
Risk: Smart contract bugs only

4. Optimistic

Security: Fraud proofs + challenge period
Examples: Optimism bridge, Arbitrum bridge
Risk: Need honest watcher during challenge period

Model	Trust Required	Hack Risk	Speed
Trusted	High	High	Fast
Federated	Medium	Medium	Fast
Light Client	Low	Low	Slow
Optimistic	Low	Low	Slow (days)

---

Real Bridge Attacks

Ronin Bridge ($600M, 2022)

Cause: 5 of 9 validators compromised
Method: Hackers got private keys, signed fake withdrawals
Prevention: More validators, better key management

Wormhole ($320M, 2022)

Cause: Smart contract bug
Method: Fake signature allowed minting without deposit
Prevention: Better auditing, formal verification

Nomad ($190M, 2022)

Cause: Code allowed any message to be valid
Method: Copy-paste attack (anyone could steal)
Prevention: Test coverage, invariant testing

---

Common Misconceptions

Myth: “Decentralized bridges are safe.”
Reality: “Decentralized” can mean 9 validators controlled by the same team. Check WHO the validators are, not just how many.

Myth: “Audited bridges are secure.”
Reality: Wormhole and Nomad were audited. Audits find some bugs, not all. Never bridge more than you can afford to lose.

Myth: “Big TVL means safe.”
Reality: Big TVL means big target. Hackers prioritize high-value bridges. Ronin had billions locked.

---

Risk Assessment Checklist

Before using a bridge, ask:

1. Who are the validators?
   □ Named entities (good)
   □ Anonymous (bad)
   
2. How many need to sign?
   □ Threshold (e.g., 5-of-9)
   □ Single party (very bad)
   
3. What's the security model?
   □ Light client proofs (best)
   □ Optimistic with fraud proofs (good)
   □ Multisig only (risky)
   
4. Has it been hacked before?
   □ No history (neutral)
   □ Previously hacked (check fix quality)
   
5. What's at risk?
   □ Your transaction amount
   □ All locked funds (if bridge fails)

---

Safer Bridge Practices

1. Use native bridges when possible (rollup → L1)
2. Split large amounts across multiple bridges
3. Wait for finality before trusting funds
4. Check validator set before bridging
5. Monitor bridge health (TVL changes, validator activity)

---

Practice Exercises

Exercise 1: Research a Bridge

Pick a bridge you use. Find:
- How many validators?
- What's the signing threshold?
- Who runs the validators?
- Any previous incidents?

Exercise 2: Calculate Risk

You want to bridge $10,000.
Bridge TVL: $100M
Historical hack rate: 1 per year

What's your expected loss?

Exercise 3: Compare Options

For ETH → Polygon:
- Official Polygon Bridge
- Hop Protocol  
- Across Protocol

Compare: Security model, speed, fees

---

Key Takeaways

1. Bridges = honeypots - High value, complex attack surface
2. Validator set is everything - Know who can sign
3. Light client > multisig - Cryptographic proofs beat trust
4. Never bridge more than you can lose - Hacks are inevitable

---

What’s Next?

🎯 Continue learning: Blockchain Consensus Mechanisms

🔬 Expert content: Cross-Chain Security

Now you understand the risks of moving assets between chains. 🌉