Cross-Chain Bridges: How Assets Travel Between Blockchains (Without Getting Robbed)

Posted on by No Comments ↓

Merry Christmas everyone!
You’ve probably seen this line a hundred times: “Bridge your assets to Arbitrum/Optimism/another chain to try this dApp.” It sounds simple—click a button and your tokens magically appear on another chain. In reality, your coins are not teleporting through a wormhole. In most cases, your original tokens never leave their home chain at all—only messages and representations move.

Those invisible highways between chains are called cross-chain bridges, and they’re one of the most powerful and most dangerous pieces of Web3 infrastructure. This is day 20 of 60 days in Web3 series.

1. Why interoperability matters

Blockchains are like cities that all speak different protocols:

  • Ethereum, Arbitrum, Optimism, Base, Solana, Avalanche, Cosmos zones… each has its own consensus rules and state.
  • Most chains cannot talk to each other natively, which means assets and information are stuck where they were created.

But users don’t wake up thinking “I want to use Ethereum mainnet today.” They think:

  • “I want cheaper gas.” (Hello, L2s.)
  • “I want a specific DeFi yield or NFT ecosystem.”
  • “I want to move stablecoins where fees are lower.”

Bridges exist to:

  • Let you use ETH-like value on another chain without selling it on a centralized exchange.
  • Let protocols build experiences that span multiple chains (e.g., liquidity on one, dApp front-end on another).

In short, interoperability is about connecting liquidity, apps, and users across a fragmented multichain world.

2. How token bridges actually work (lock & mint mental model

Most bridges use some variation of a lock-and-mint or burn-and-mint model.

Imagine you want to “bridge” 1 ETH from Ethereum to another chain like Polygon.

Lock & mint (most common)

  1. You send 1 ETH to a bridge contract on Ethereum.
  2. That ETH is locked in a smart contract or by a custodian.[8][2]
  3. On Polygon, the bridge mints 1 wrapped ETH (wETH-style token) representing your claim on the locked ETH.[2][3]
  4. You now use that wrapped ETH in Polygon DeFi as if it were native.

When you want to go back:

  1. You send your 1 wrapped ETH to the bridge on Polygon.
  2. The wrapped token is burned on Polygon.
  3. The original 1 ETH is unlocked from the contract on Ethereum and sent back to you.

Key points:

  • The original tokens rarely leave the source chain; they sit in a contract or custodian-controlled wallet.
  • What moves is a representation, often called a wrapped or pegged token.

You can think of this like checking your coat at a venue:

  • You give them your coat (lock).
  • They give you a ticket (wrapped token).
  • You use the ticket inside.
  • When you’re done, you return the ticket and get your coat back.

3. Types of bridges (and their trust assumptions)

Not all bridges work the same way. Under the hood, they differ mainly in who you trust and how messages are verified.

a) Trusted / custodial bridges

  • Run by a company or a small multisig (e.g., 5/9 signers).
  • Users trust that operator to:
    • Safely hold locked assets.
    • Correctly mint/burn wrapped tokens.
  • Examples in this category historically include Binance Bridge, some wrapped BTC models, and certain centralized cross-chain services.

Pros: Simple UX, often fast.

Cons: Single point of failure—if keys are compromised or the operator disappears, funds are at risk.

b) Trustless / trust-minimized bridges

  • Use smart contracts, light clients, or cryptographic proofs to verify events on one chain from another.
  • Instead of trusting a company, you trust the underlying protocols and validator sets.
  • Examples: designs like Connext, Hop, and PoP / light-client-based bridges.

Pros: Security closer to the underlying chains.

Cons: More complex, can be slower or more expensive.

c) Message-passing / generalized bridges

  • Focus on messages, not just tokens:
    • “This address locked X tokens on chain A.”
    • “Execute this action on chain B if condition is met on chain A.”
  • Token bridging becomes one use case on top of a messaging layer.

The important part for learners: Every bridge has a trust model. You’re always trusting someone or something—the only question is who and under what conditions.

4. Bridge hacks: when highways crack

2022 and 2023 exposed how dangerous bridges can be when they fail.

Some of the largest DeFi exploits ever have been bridge-related:

  • Ronin Network (Axie Infinity) – ~$624M lost after attackers compromised validator keys in a bridge with a small validator set.
  • BSC Beacon bridge – ~$566M exploit via a bug in proof verification, allowing attackers to mint extra tokens.
  • Wormhole – ~$326M lost due to incorrect signature verification, letting the attacker mint wrapped assets without proper backing.
  • Nomad – ~$190M drained after a smart contract upgrade bug let anyone copy-paste a transaction and withdraw funds.

TRM Labs estimated that as of late 2022, there had been only 13 bridge hacks, but they accounted for nearly $2 billion in losses—meaning bridge exploits are rare but huge.

Some analyses estimate that bridge-related incidents contributed to around 70% of all stolen funds in certain periods of Web3 hacking history.

Why they’re such juicy targets:

  • Bridges often hold massive pooled liquidity on the source chain (everyone’s locked tokens in one place).
  • A single bug or key leak can give attackers access to those entire pools.

5. Risks you should know as a user

From a user’s perspective, bridging is not “just sending tokens.” It’s accepting several layers of risk:

  • Smart contract risk: Bugs in the bridge contract where funds are locked.
  • Key/validator risk: If a multisig or validator set is compromised, attackers can drain or mint at will.
  • Economic risk: Wrapped assets may de-peg if trust in the bridge collapses.

Questions to ask before using a bridge:

  • Who controls the locked funds? A company? A multisig? A protocol DAO?
  • Has this bridge been audited? By whom? How long has it been live?
  • What happens if the bridge goes offline—can you still exit?

For newcomers, a good rule of thumb: bridging is like using a third-party custodian—treat it with the same caution as leaving funds on an exchange.

6. Why bridges matter for developers

If you are building anything that:

  • Runs on multiple chains.
  • Needs liquidity from Ethereum on an L2 or another L1.
  • Wants users to “bridge in” or “bridge out” as part of the UX.

…you are making design decisions about bridges, even if you think you’re just dropping a widget into your UI.

Bridges matter because they affect:

  • Security assumptions – Your app may be safe, but if the bridge feeding liquidity is broken, users still lose money.
  • User experience – Extra steps, multiple signatures, gas on both chains, stuck transactions.
  • Composability – Wrapped assets vs native assets, support across protocols, or limited integration scope.

As a developer, you should at minimum:

  • Understand the trust model of any bridge you integrate.
  • Communicate those assumptions clearly to users (“Funds are custodied by X; here’s the risk profile”).
  • Consider safer alternatives when they exist (e.g., official native bridges vs unknown third-party ones).

7. Simple mental model: bridges as IOUs, not teleporters

The safest mental model for beginners is:

A bridge is mostly an IOU system.

Your original asset usually stays locked on Chain A.

You receive an IOU (wrapped token) on Chain B.

If the system managing that IOU breaks, your claim may not be honored.

This model helps you remember:

  • More TVL in the bridge = bigger honeypot = more incentive for hackers.
  • Using a bridge is always a trade-off between convenience and additional risk beyond the base chain.

8. Why this matters in your Web3 journey

If you want to go from “dabbling in DeFi” to actually understanding the infrastructure, bridges are a key step:

  • Day 17 (Stablecoins) was about value pegs.
  • Day 19 (Oracles) was about data bridges between the real world and blockchains.
  • Day 20 (today) is about asset bridges between blockchains themselves.

Together, they form a picture: Web3 is not just chains. It’s all the connective tissue—oracles, bridges, messaging layers—that make those chains usable.

Key takeaway (Day 20)

Blockchains are like isolated cities with their own rules; cross-chain bridges are the highways that let assets and messages move between them. Most bridges don’t move your coins at all—they lock them on one chain and mint wrapped versions on another, which introduces new trust and security assumptions. For users and developers, understanding how bridges work—and how they can fail—is essential if you don’t want your “bridged” tokens to disappear in the next headline hack.

What’s next (Day 21)

Next, you can zoom out even further into Layer 0 & Layer 3:

  • Layer 0: networks like Cosmos and Polkadot that bake interoperability into the base layer.
  • Layer 3: app-specific chains and rollups that sit even higher in the stack.

If bridges are the highways we bolt on, Layer 0 and Layer 3 are about designing the roads into the city from the start.

Still not following me after Day 20 ?
Follow on Medium & Twitter
Join Web3 for Humans for more updates.

Leave a Reply