guide · 18 min read · 2026-05-15
Bridge security postmortems: what 4 years of cross-chain hacks taught us (2022–2026)
Cross-chain bridges have lost more than $2.8 billion to exploits since 2022 — by Chainalysis' count, the single most-targeted category of infrastructure in the entire crypto stack. The same failure modes keep coming back: validator keys held by too few people, signature checks that don't check what they look like they check, initialization bugs that turn a routine upgrade into a free-for-all. This piece walks through eight of the most consequential bridge incidents from 2022 through April 2026, what went wrong at the byte level, and what each one should have changed in how the industry builds. If you're here because you're evaluating a bridge before signing a swap, the companion guide covers how the surviving engines (LiFi, Relay, THORChain) compare on routing.
Poly Network — August 2021 — $611M (recovered)
What happened
On 10 August 2021 an attacker drained roughly $611M worth of assets from Poly Network across Ethereum, BSC and Polygon — at the time the largest DeFi theft on record. The attacker then, inexplicably, returned everything over the next 15 days, claiming the exploit was for "fun" and to pressure the team into fixing the bug. Almost all funds were recovered.
Root cause
Poly Network used a contract called EthCrossChainManager that could call any function on any contract on its behalf. Behind it sat an EthCrossChainData contract whose owner was the Manager itself — the Manager was its own privileged caller. The attacker crafted a cross-chain message whose target method, after function-selector collision, resolved to putCurEpochConPubKeyBytes on the Data contract. That function rotated the keeper public key. With one message the attacker became the keeper, and as keeper they could authorise any withdrawal.
What it taught the industry
Privileged contracts that can invoke arbitrary functions on privileged contracts are an irreducible footgun. The lesson — ironically the same lesson that the EVM teaches in every Solidity 101 lecture about delegatecall — is that capability granularity matters. A bridge router should not be able to mutate its own access-control state. After Poly, several teams introduced a separation between message-passing contracts and contracts that change the trusted signer set; the Wormhole and Nomad failures below show how partial that fix turned out to be.
Wormhole — February 2022 — $326M
What happened
On 2 February 2022 an attacker minted 120,000 wETH on the Solana side of the Wormhole bridge — about $326M at the time — without depositing anything on the Ethereum side. They bridged 93,750 wETH back to Ethereum and held the rest on Solana. Jump Crypto, the project's parent, replaced the missing ETH from its own treasury within 24 hours so that wETH on Solana stayed fully backed.
Root cause
Wormhole's Solana program verified guardian signatures by looking at a previous instruction in the same transaction — the standard Solana pattern of pairing a Secp256k1 precompile call with your verification logic. To find that previous instruction the program called load_instruction_at, a function that reads from whatever account you pass as the "Instructions sysvar." The function did not check that the account passed in was the real Instructions sysvar.
The attacker passed in a regular account they owned, populated with data that looked like a successful Secp256k1 verification of a guardian-signed message. The program read the fake data, believed the signatures were valid, and minted. Solana had already shipped a fix — load_instruction_at_checked, which validates the sysvar account address — and Wormhole had merged the upgrade into its repo but not yet deployed to mainnet. Watchers of the public commit log appear to have been faster than the deploy pipeline.
What it taught the industry
Two lessons. First: framework-provided helpers can be deprecated for security reasons, and "deprecated" sometimes means "there is a known sysvar substitution attack against this function." Auditors now treat any deprecation notice in Solana, Cosmos, Substrate or Move tooling as a P0 review item. Second: merging a security fix to a public repo before deploying it is a race condition with attackers. The safer pattern is to deploy to mainnet from a private fork and only push to public after the upgrade is live, or to coordinate the merge and deploy in the same window.
Ronin — March 2022 — $625M
What happened
On 23 March 2022 an attacker forged two withdrawal transactions from the Ronin bridge, draining 173,600 ETH and 25.5M USDC — about $625M at the time, and what was then the largest DeFi heist in history. The exploit went unnoticed for six days; Sky Mavis only noticed on 29 March when a user complained they couldn't withdraw 5,000 USDC. The US Treasury later attributed the theft to North Korea's Lazarus Group.
Root cause
Ronin used a 5-of-9 multisig validator set to authorise bridge withdrawals. Four of the nine validators were operated by Sky Mavis. The fifth was operated by Axie DAO and had — months earlier, during a load spike in November 2021 — been allowlisted to let Sky Mavis sign transactions on its behalf. The allowlist was supposed to be temporary. It was discontinued in December 2021 but the access was never revoked.
A senior Sky Mavis engineer was approached on LinkedIn by a fake recruiter offering an unusually generous job. After several rounds of fake interviews the attacker delivered the "offer letter" as a PDF. Opening it installed spyware. From the engineer's machine the attacker pivoted into Sky Mavis' infrastructure, extracted the four Sky Mavis validator keys, and used the still-live Axie DAO allowlist to sign as the fifth. Five of nine. Quorum. Withdrawals approved.
What it taught the industry
M-of-N is only as strong as your M weakest key custodians. Every validator-set bridge should publish (a) who holds each key, (b) what HSM or air-gapped procedure protects it, (c) what the key-rotation cadence is, and (d) what the revocation procedure looks like for cases like the Axie DAO allowlist. Almost no bridge does this with the granularity Ronin's incident demanded. Ronin itself moved to 11 validators after the hack, then larger still. But the structural problem — that a small validator set is a small attack surface — has not been solved by adding more nodes; it has only been spread thinner. The Orbit Chain incident below shows the same pattern reappearing two years later.
Nomad — August 2022 — $190M
What happened
On 1 August 2022 a routine implementation upgrade to Nomad's Replica contract introduced a bug that let any previously-unprocessed message verify as valid. After a single attacker discovered the flaw, the exploit became copy-pasteable: anyone watching mempool could replicate the transaction, swap in their own recipient address, and drain another tranche. Roughly $190M was drained over a few hours by hundreds of independent wallets — the first public smart-contract exploit that resembled a crowd-sourced bank run. White hats recovered roughly $36M.
Root cause
Nomad's Replicatracked which message roots were considered "committed" in a mapping confirmAt[bytes32 root] => uint256. A non-zero value meant trusted; zero meant untrusted. During the upgrade an initialiser was called with _committedRoot = bytes32(0). The initialiser unconditionally set confirmAt[_committedRoot] = 1, which meant confirmAt[bytes32(0)] = 1 — the zero hash was now trusted.
The process() function checked validity by computing a Merkle proof of the message against a stored root. Solidity mappings return bytes32(0) for any key never written. So for any message hash that had not yet been processed, the lookup returned 0, the validator looked up confirmAt[0], found the magic value 1, and accepted the message. Anyone could craft a message claiming any amount of any token to any address and have it verify.
What it taught the industry
Initialisers are the most dangerous code in any upgradeable contract — they run rarely, they bypass constructor invariants, and a bad initial value can convert a safe primitive into a money faucet. The Nomad postmortem became a teaching artifact for every audit firm that does upgrade reviews. Practical changes that came out of it: explicit zero-checks on initialisers (don't allow address(0) or bytes32(0)as a committed-root); separation of "set the initial value" from "mark a value trusted"; and dry-run frameworks like Tenderly fork-upgrades that simulate the post-upgrade state before sending the transaction.
Multichain (Anyswap) — July 2023 — $130M+
What happened
On 7 July 2023 Multichain's bridge contracts began emitting unauthorised withdrawals — roughly $125M from the Fantom bridge alone, with smaller drains from Moonriver, Dogechain and others. Within 48 hours the team confirmed the worst: CEO Zhao Jun had been arrested by Chinese police on 21 May 2023 and held incommunicado. The bridge's MPC keys had been on his personal infrastructure. After his arrest the team had no access to operational keys and no clarity on who did. The protocol shut down on 14 July 2023.
Root cause
Multichain marketed itself as a decentralised bridge using multi-party computation (MPC) to split signing authority. In practice — as the post-collapse forensics revealed — the MPC nodes were almost entirely under the operational control of the founder. The Singapore court ruling in the related liquidation case fanned broad suspicion that the "hack" was at minimum adjacent to insider activity. Whatever the precise mix of external attacker and inside knowledge, the structural fact is that funds custodied by the protocol depended on one person staying free, alive and willing to coordinate.
What it taught the industry
Not all "decentralised" bridges are decentralised, and the proof is not in the marketing. Look for: independent operator addresses funded from independent wallets, geographic distribution of operator nodes, public dashboards showing per-operator signing activity, and — critically — what the documented procedure is for removing a compromised or unreachable operator. If the answer to "what happens if the founder disappears" is "we don't know," the bridge is a custodian with extra steps. After Multichain, several major aggregators (LiFi, Socket) quietly removed Multichain routing months before the collapse. That kind of route-level reputational signal is one of the few pieces of public information that sometimes tracks ahead of the crisis.
Orbit Chain — December 2023 — $81M
What happened
At 20:52 UTC on 31 December 2023, an attacker drained roughly $81.5M from Orbit Bridge's ETH vault — USDT, USDC, ETH, WBTC and DAI. The exploit happened in the operational quietest possible window, the New Year's Eve handover. Halborn and others later linked the attacker behaviour to Lazarus Group, though attribution is never certain.
Root cause
Orbit Bridge used a 7-of-10 multisig to authorise withdrawals. The attacker compromised seven private keys. The forensic public record is thin — Orbit's postmortem never specified the initial intrusion vector — but the pattern fit: phishing, spear-phishing, or an HR-channel social engineering operation against someone with custody of a critical key.
What it taught the industry
Ronin happened in March 2022. Orbit happened in December 2023. The attack was structurally identical — get a quorum of multisig keys, drain the vault — and twenty-one months of public industry attention had not produced a defensive posture good enough to stop a recurrence. The lesson is uncomfortable: the multisig-bridge model is fundamentally a human-security problem dressed up as a cryptographic one. Real defences are organisational (HSMs with mandatory dual-control, key holders who don't know each other, hardware-isolated signing ceremonies) and the bridges that don't invest in that organisational layer are reservoirs waiting to be drained.
Poly Network (again) — July 2023 — ~$10M realised
What happened
On 1 July 2023 Poly Network was hit a second time. The attacker crafted a cross-chain message with a forged block header and forged validator signature, which the receiver contracts accepted. Using this they minted what nominally totalled roughly $43 billion in tokens — billions of BUSD, trillions of SHIB — across ten chains. Liquidity wasn't there to cash out the headline number; security firms estimate the realised theft at around $10M.
Root cause
The forged message verified because the keeper-key system — the same architectural piece that failed in the 2021 incident, though through a different mechanism — had keepers' keys compromised. Three of four required keys were under attacker control. The contract dutifully verified what looked like a properly-signed cross-chain proof and called the mint endpoints on the destination chains.
What it taught the industry
Mostly: that a bridge that has been thoroughly exploited once can be thoroughly exploited again two years later if the response to the first incident was "return the funds and patch" rather than "rebuild the trust model." Poly Network's keeper-key architecture survived 2021 with cosmetic changes. By 2023 the attacker community had two years to study it. The broader lesson is that recovery without re-architecture buys you calendar time, not security; the attackers who didn't catch the original flaw still have years to catch the structural successor.
Ronin (again) — August 2024 — $12M (returned)
What happened
On 6 August 2024 the upgraded Ronin Bridge V2 was exploited for roughly $12M — 4,000 ETH and $2M in USDC. The attacker's transaction was front-run by MEV bots, which captured the funds and then voluntarily returned them to Sky Mavis. Ronin awarded a $500K bug bounty to the bots' operators.
Root cause
During the V2 deployment, only the initializeV4 function was called. initializeV3 was skipped. That function was responsible for setting _totalOperatorWeight; without it, the value defaulted to 0. Withdrawal authorisation logic computed "signatures collected / total weight" — a quorum check that against a denominator of zero either reverted or, in this implementation, treated zero as "no quorum required." Anyone could authorise a withdrawal.
What it taught the industry
Two and a half years after losing $625M to an operational failure, Ronin lost another $12M to a deployment-script error that skipped one of two required initialisers. The Nomad-pattern bug — uninitialised state with a default value that happens to mean "no checks" — kept resurfacing because the underlying invariant (an upgradeable contract is in a partially-constructed state until allinitialisers run) is genuinely hard to enforce in CI. The honest takeaway: even teams that have been through a $625M trauma make initialiser mistakes. The defence has to be in tooling (Foundry/Hardhat plugins that fail builds with uninitialised storage, OpenZeppelin's Upgrades plugin storage-layout checks) rather than in attention.
Kelp DAO — April 2026 — $292M
What happened
On 18 April 2026 attackers drained 116,500 rsETH — about $292M, roughly 18% of the circulating supply — from Kelp DAO's LayerZero bridge. The exploit was not a smart-contract bug; the contracts behaved exactly as written. The attack moved up the stack, into the off-chain infrastructure that the bridge trusts to tell it what happened on the source chain. Chainalysis and the US Treasury later linked the attack to Lazarus Group. Kelp migrated rsETH off LayerZero's OFT standard to Chainlink CCIP within weeks.
Root cause
Kelp's deployment used a 1-of-1 LayerZero DVN (Decentralised Verifier Network) configuration: a single verifier's attestation was sufficient to release funds on the destination chain. The verifier read source-chain state by polling RPC nodes. Attackers compromised two RPC nodes the verifier polled, then DDoS'd the other RPC providers until the verifier failed over to depend exclusively on the attacker-controlled feeds. With the source-of-truth captured, the attackers fed the verifier a fake cross-chain message authorising the rsETH release. The contract accepted, because from its perspective the verifier had spoken and the verifier was the only voice that needed to.
What it taught the industry
The 2026 lesson is that "decentralised verifier network" means nothing if the operator chooses a 1-of-1 configuration. LayerZero offers configurable DVN sets — the operator picks the threshold and the verifier set. Kelp picked the cheapest, lowest-latency option. The exploit also exposed a higher-order failure: even a multi-verifier configuration is only as decentralised as its data sources. If every verifier polls the same RPC providers, compromising those providers compromises every verifier. After Kelp, several teams started requiring verifiers to maintain independent RPC infrastructure and to publish which providers they use. The race condition remains: bridges that don't pay for that level of infrastructure look indistinguishable from bridges that do, until the moment they don't.
Common attack vectors, distilled
Validator / operator key compromise
By far the dominant pattern. Ronin (2022), Multichain (2023), Orbit (2023), Poly Network (2023) and Kelp (2026, off-chain variant) all reduce to: attackers obtained authority that the protocol assumed only authorised parties could obtain. Chainalysis estimated that private-key compromises drove roughly 88% of stolen funds in Q1 2025 and the trend has held into 2026.
Signature verification flaws
Wormhole (2022) is the canonical example, but the family is broader: any place where a contract trusts a signature without verifying the signature's context (sysvar account, chain ID, replay nonce, message domain). Cross-chain protocols multiply the opportunities because messages cross trust boundaries.
Initialisation and upgrade flaws
Nomad (2022) and Ronin V2 (2024) demonstrate that upgradeable contracts have a hidden third state — neither "old implementation" nor "new implementation" but "new implementation with a missing initialiser call" — and that state is often spectacularly insecure. Storage-layout tooling helps; full-fork upgrade simulations help more.
Message-routing and access-control logic
Poly Network (2021) is the canonical case. A privileged contract that can call a privileged function on another privileged contract gives an attacker arbitrary capability if they can craft the message that gets routed. The defensive pattern is capability narrowing: bridge routers should not be able to mutate access-control state.
Off-chain dependency manipulation
Kelp DAO (2026) added a new entry to the catalogue: even when on-chain logic is correct, the data flowing in from the off-chain world (RPC nodes, oracle feeds, DVN attestations) is a soft target. Bridges that depend on a single information source inherit its compromise; bridges with diverse sources inherit the compromise of the source they fail over to.
What to look for in a safe bridge in 2026
A practical checklist for evaluating any bridge before you route real money through it. Most bridges will fail several of these. That's information.
- Validator set transparency. Who runs the validators? Are they identifiable legal entities or anonymous? How geographically distributed? What is the signing threshold (M-of-N) and is it sized for the value secured? A 5-of-9 set securing $10B is structurally underweight.
- Key custody documentation.Are validator keys in HSMs? In multi-sig with on-chain rotation? In a single founder's laptop? If the bridge can't answer this publicly the answer is "you don't want to know."
- Audit posture. Audited by whom, when, and against what version of the contracts that are currently deployed? An audit from 2023 of a contract that was upgraded in 2025 is a marketing artifact, not a security control. Bridges with multiple independent audits and active bug bounties (Immunefi $5M+ tier) are categorically better positioned.
- Time-locks on upgrades. Can the team push a new implementation in a single transaction? Or is there a 48–72 hour delay during which observers can react? Bridges with no time-lock are bridges where one compromised admin key ends the protocol.
- Decentralisation of the message-passing model. Optimistic (Nomad-style, with a fraud-proof window), ZK-validated (zkBridge designs, where state transitions are mathematically verified), and multisig are all valid models — with very different failure modes. ZK has the strongest cryptographic guarantees; optimistic has time as a defence; multisig has the worst record. Prefer ZK or hybrid designs for large transfers when you have the option.
- Off-chain infrastructure independence. What RPC providers do verifiers use? Are they the same ones every other protocol uses? Kelp DAO showed that this matters more than people had previously assumed.
- Insurance and coverage.Nexus Mutual, Sherlock, and a handful of others write cover on bridges. The premium tells you what professional underwriters think of the risk — often a sharper signal than the team's marketing.
- Track record.A bridge that has been live for three years without an exploit is structurally safer than one live for three months, because attackers have had three years to find the bug and didn't. This argument is weaker for bridges that have changed their implementation significantly over those years.
How Ropil's design avoids these failure modes
Ropil is a non-custodial swap aggregator. We never hold your funds. Every swap is a signed transaction from your wallet to the chosen bridge protocol — LiFi, Relay, or THORChain — and the assets move through their infrastructure, not ours. If our servers vanish tomorrow your wallet keeps its assets and your in-flight swaps either complete on the underlying bridge or refund per that bridge's rules.
That design choice means we cannot save you from the failure modes catalogued above; the bridges we route to remain subject to validator compromise, signature flaws, initialisation bugs, and off-chain manipulation. What we can do — and do — is make the routing visible. Every quote shows which engine and which underlying bridge will execute it. If a route would go through a bridge you don't trust, you can pick a different engine or skip the swap. That information asymmetry — users knowing which bridge their funds will pass through — is something most CEX-style or wallet-embedded bridge UIs hide. For background on how the three engines we route to compare on coverage, depth and trust assumptions, see the swap routing guide.
We also publish the bridges we've removed from routing. Multichain was de-listed by most aggregators months before its collapse; that kind of route-level signal sometimes leads the crisis. If you want to be notified when we change the routing set, the hello@ropil.xyz list publishes a brief note when a bridge is added or removed.
Sources: Halborn (Ronin, Wormhole, Nomad, Orbit, Poly Network, Ronin V2, Kelp DAO postmortems), Chainalysis (Multichain forensics, Kelp DAO RPC compromise analysis), Rekt News (Orbit, Nomad, Ronin), Immunefi (Nomad technical breakdown), Sky Mavis (Ronin postmortem), CoinDesk and DL News (Multichain timeline), Kraken Security (Poly Network 2021 architecture). Public postmortem URLs verified on 2026-05-15.