Cross-chain refers to the ability to move data, assets, or messages between separate blockchains that cannot communicate natively. Cross-chain infrastructure, such as bridges, messaging protocols, and interoperability networks, connects otherwise isolated ledgers so that a token on one chain can unlock or mint on another.
The mechanic sounds simple. The security record is the reason anyone researching the term should keep reading. By August of 2022, Chainalysis had estimated $2 billion in cryptocurrency stolen across 13 cross-chain bridge hacks, with 69% of year-to-date crypto theft coming from bridge attacks.
Key Takeaways
- Cross-chain bridges moved from niche to critical infrastructure, then became the single biggest attack surface in decentralized finance. Chainalysis reported that in full-year 2022, DeFi protocols accounted for 82.1% of all cryptocurrency stolen, and 64% of the $3.1 billion in DeFi theft came from cross-chain bridges, approximately $1.98 billion.
- The Ronin bridge exploit on March 23rd drained approximately 173,600 ETH and 25.5 million USDC after attackers compromised 5 of 9 validator private keys belonging to Sky Mavis and Axie DAO.
- IBC, the Cosmos ecosystem’s cross-chain protocol, connects over 115 blockchains with 2 million monthly active users and over 35 million annual transactions on average, and has operated without a single exploit since launch.
- LayerZero supports over 150 chains, has processed 150 million messages, and reports that over $50 billion in assets rely on its OFT Standard, with 620 development groups running 59,000 contracts on its Endpoints.
- Wormhole connects over 45 blockchains and has enabled $68 billion in all-time transfer volume, with Google Cloud, BlackRock, Apollo, Janus Henderson, and VanEck listed among institutional users.
- Total crypto theft reached over $3.4 billion from January through early December of 2025, with North Korean hackers attributed to at least $2.02 billion, or 76% of all service compromises, per Chainalysis.
How Does Cross-Chain Work?
Cross-chain moves something from Chain A to Chain B without either chain natively understanding the other. A bridge or messaging protocol sits in the middle, locks or attests to the source asset, and instructs the destination chain to release or mint an equivalent. The mechanics matter because every step introduces a trust assumption that an attacker can target.
A working mental model: cross-chain infrastructure is the airport currency exchange desk between two countries. A bridge locks user funds in a central storage point on the source chain, then issues a matching token on the destination chain that stays backed only so long as the original pool is intact. If that vault is raided, every local-currency note in circulation stops being backed by anything.
1. Lock or burn on the source chain
The user sends an asset to a smart contract on the origin chain. The contract either holds the tokens in escrow (lock-and-mint) or destroys them (burn-and-mint). Chainalysis has characterized this model as a “central storage point of funds that back the ‘bridged’ assets on the receiving blockchain,” and cited it as the reason bridges are an attractive target for attackers.
2. Verify and attest to the transfer
An off-chain or on-chain verifier set signs a message confirming the deposit happened. The design of this verifier is where cross-chain protocols diverge most. Axelar uses validators participating in Cosmos SDK consensus, with each Gateway controlled by a multi-party cryptography scheme that divides the signing key into many pieces called key shares, requiring a vote of validators before transactions are authorized. LayerZero V2 lets each application pick its own off-chain workers, configured as Decentralized Verifier Networks in an X-of-Y-of-N arrangement, plus an Executor address, on a per-channel basis.
3. Mint or release on the destination chain
Once the attestation is delivered, the destination chain’s contract mints a wrapped representation or releases native inventory from a pool, which, under a light-client design like IBC, is verified cryptographically against the source-chain block header across over 115 connected chains. IBC employs light client-based interoperability that removes reliance on trusted intermediaries. That verification step is closer to customs checking a sealed shipping container against a manifest than a clerk taking someone’s word that the shipment arrived.
The three steps look straightforward. The security record is not.
Why Does Cross-Chain Matter?
Multi-chain is already the default for crypto users. A single wallet now holds USDC on Ethereum, SOL on Solana, and BNB on BNB Chain, and moving value between those chains without returning to a centralized exchange requires cross-chain infrastructure. Volume reflects that reality. LayerZero reports 150 million cross-chain messages processed, with 620 development groups and 59,000 contracts using its Endpoints. IBC averages over 35 million annual transactions across over 115 connected chains, with 2 million monthly active users.
Institutional pipelines are building on the same rails. Chainlink CCIP supports over 60 public and private blockchains, with named institutional integrations including SWIFT and UBS Asset Management for tokenized asset transfers, ANZ Bank via Project Guardian, and SBI Digital Markets for automated fund administration pilots. Wormhole has moved $68 billion in cumulative transfer volume and lists Google Cloud, BlackRock, Apollo, Janus Henderson, Flow Traders, VanEck, and AMD among institutional users.
Across our coverage of DeFi and self-custody wallet statistics, the directional pattern is clear: users holding assets across multiple chains want to move them without first returning to a centralized exchange, and the protocols being built to serve that demand now include named tier-one banks. Practical reasons readers encounter cross-chain:
- Access liquidity fragmented across chains (a Solana DEX, an Ethereum lending market, a Base yield vault) from a single wallet
- Move stablecoins between networks with lower fees (Ethereum to Arbitrum or Base for lower-cost transfers)
- Run applications that pull data or assets from multiple chains in one transaction
- Tokenize assets on one chain while settling payments on another, the model used in the UBS and SWIFT CCIP pilot
Refer to our DeFi market statistics for the broader context of on-chain value that cross-chain rails now connect.
Advantages, Trade-offs, and Risks
Cross-chain unlocks liquidity and application design that single-chain deployment cannot match. It also concentrates custody in contracts that have proven to be the most targeted attack surface in crypto.
Advantages
- Multi-chain asset access from a single wallet without selling into fiat or routing through a centralized exchange
- Unified liquidity pools that can be drawn against from any connected chain
- Composability: a DeFi application on Chain A can trigger an action on Chain B in one user flow
- Institutional on-ramps: CCIP, Wormhole, and LayerZero are being adopted by named financial institutions for tokenized asset settlement
- Developer efficiency: a protocol can ship once and be reachable across dozens of chains without redeploying logic
Trade-offs and Risks
- Concentrated custody risk: the lock-and-mint model means every bridged asset is backed by a pot of real tokens in a contract. If that contract is drained, every bridged unit in circulation loses backing. Chainalysis has called effective bridge design “still an unresolved technical challenge, with many new models being developed and tested,” and warned that varying designs present novel attack vectors.
- Validator compromise: External-validator bridges have been repeatedly breached when enough signing keys are stolen, as in the Ronin breach, where 5 of 9 validator keys were compromised, and the theft went unnoticed for about six days. Ronin is the textbook case.
- Smart contract bugs: Wormhole was exploited on 02/02/2022 for $326,000,000, and Nomad Bridge on 08/01/2022 for $190,000,000, both from code-level flaws rather than validator key compromises.
- State actor risk: North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025, representing 76% of all service compromises and bringing their cumulative all-time total to $6.75 billion, per Chainalysis.
- User error: sending assets to an unsupported chain or an incorrect destination address is often irreversible.
Those risks trace back to a handful of recurring architecture choices.
Types of Cross-Chain Bridges
Cross-chain protocols can be grouped by how they verify that a deposit on the source chain really happened. Four trust models dominate the market, and the hack record is not evenly distributed across them.
| Trust Model | How Verification Works | Example Protocols | Hack Record |
| External validator / multi-sig | A fixed committee of off-chain validators signs messages. Move funds with M-of-N signatures. | Ronin, older Wormhole, Harmony Horizon | Ronin $624M (2022), Harmony $100M (2022), Wormhole $326M (2022) |
| Light client | The destination chain verifies the source chain block headers cryptographically. No trusted signers. | IBC, Hyperlane, Polymer | IBC: no exploits since launch |
| Optimistic | Messages are accepted after a fraud-proof challenge window. | Nomad, Across, some Polygon bridges | Nomad $190M (2022) |
| Oracle + executor separation | One decentralized oracle network signs, a separate risk-management network monitors and can halt. | Chainlink CCIP | No reported bridge-level exploit |
| DVN-modular | Each application configures its own verifier set (X-of-Y-of-N) and executor. | LayerZero V2 | No reported V2 endpoint exploit |
Sources: Chainalysis, Sky Mavis, Rekt News, IBC Protocol, Chainlink, LayerZero, Axelar
Rekt News has catalogued eight named bridge incidents exceeding $80 million each since 2021, with Ronin the largest at $624,000,000 on 03/23/2022, followed by Poly Network at $611,000,000 on 08/10/2021 and BNB Bridge at $586,000,000 on 10/06/2022. The loss column makes the case that external-validator custody has absorbed most of the damage.
| Bridge | Date | Loss (USD) | Trust Model |
| Ronin Network | 2022-03-23 | $624M | External validator (5 of 9 multisig) |
| Poly Network | 2021-08-10 | $611M | Smart contract exploit |
| BNB Bridge | 2022-10-06 | $586M | Smart contract / proof forgery |
| Wormhole | 2022-02-02 | $326M | Smart contract (pre-Guardian redesign) |
| Nomad Bridge | 2022-08-01 | $190M | Optimistic (upgrade broke verification) |
| Multichain | 2023-07-06 | $126.3M | External validator |
| Harmony Horizon | 2022-06-23 | $100M | External validator (2 of 4 multisig) |
| Orbit Chain | 2023-12-31 | $81.5M | External validator |
Sources: Rekt News, Sky Mavis
See our coverage of crypto exchange market data and self-custody wallet statistics for the broader picture of where crypto funds sit and why so many now flow through cross-chain infrastructure to stay off exchanges.
Real-World Applications
Cross-chain use cases split roughly into consumer DeFi flows, institutional settlement pilots, and concrete step-by-step asset transfers that readers can picture.
Multi-chain DeFi and liquidity
Retail users hold assets across chains and borrow, lend, or farm yield on whichever chain has the best rates or deepest liquidity at a given moment. A USDC balance on Ethereum can be bridged to Arbitrum or another of the over 150 chains LayerZero supports to pay lower gas fees for a lending deposit, then withdrawn back to Ethereum later. Wallets such as those covered in our MetaMask wallet data increasingly build native bridge UIs so the cross-chain step happens inside the wallet, not on a separate dApp.
Institutional tokenized asset settlement
Banks and asset managers are piloting cross-chain rails for tokenized funds, bonds, and payment-versus-payment settlement, routed through protocols that now include Chainlink CCIP and Wormhole. The Chainlink CCIP product page lists SWIFT and UBS Asset Management for tokenized asset transfers, ANZ Bank via Project Guardian, and SBI Digital Markets for automated fund administration as named institutional pilots, and states the protocol has enabled tens of trillions in on-chain transaction value. Wormhole lists BlackRock, Apollo, Janus Henderson, Flow Traders, VanEck, and AMD as institutional partners on its official homepage.
Scenario: Moving USDC from Ethereum to Arbitrum
Picture sending 1,000 USDC from Ethereum to Arbitrum through a cross-chain messaging bridge:
- Wallet sends 1,000 USDC to the bridge contract on Ethereum. The contract locks the USDC.
- Off-chain verifiers (a DVN set, an oracle network, or a validator committee, depending on the protocol) observe the deposit and sign an attestation.
- The signed attestation is relayed to the Arbitrum contract, which verifies it.
- The Arbitrum contract releases 1,000 USDC from its pool or mints wrapped USDC to the destination wallet.
- Net time: seconds to a few minutes. Net cost: Ethereum gas + Arbitrum gas + bridge protocol fee.
If step 2 can be forged through compromised validator keys or a buggy signature check, an attacker can drain the source-chain pool without ever holding real assets, which is the failure mode Chainalysis has documented across the major bridge incidents to date.
Frequently Asked Questions (FAQs)
Cross-chain carries real, documented custody risk that single-chain transactions do not. Chainalysis reported that 64% of the $3.1 billion stolen from DeFi protocols in 2022 came from cross-chain bridge protocols, approximately $1.98 billion. Risk varies by trust model: IBC has operated without a single exploit since launch across over 115 connected blockchains, while external-validator bridges have produced most of the industry’s largest loss events.
Multi-chain means an application or asset is deployed on several blockchains independently. Cross-chain means the chains can send data or value to each other. A stablecoin issued separately on Ethereum, Solana, and BNB Chain is multi-chain. A stablecoin that can be moved between those three chains through a bridge or messaging protocol is cross-chain.
The Ronin Network exploit on March 23rd drained approximately 173,600 Ethereum and 25.5 million USDC after attackers compromised five of nine validator private keys belonging to Sky Mavis and Axie DAO. The theft was not discovered until six days later, when a user reported being unable to withdraw about 5,000 ETH, and the FBI later attributed the exploit to the Lazarus Group.
Yes, usage has grown since the 2022 peak: LayerZero has processed 150 million cross-chain messages across over 150 chains, Wormhole reports $68 billion in all-time transfer volume across over 45 blockchains, and IBC averages over 35 million annual transactions across over 115 connected chains.
IBC has the strongest public record, operating across over 115 connected blockchains with 2 million monthly active users and over 35 million annual transactions on average without a single exploit since launch, according to IBC Protocol documentation. Its light-client design removes reliance on a fixed committee of external validators, which is the trust model behind the largest bridge losses tracked by Chainalysis.
Yes. Chainlink CCIP names SWIFT and UBS Asset Management, ANZ Bank via Project Guardian, and SBI Digital Markets as institutional integrations, and states the protocol maintains SOC Type I and ISO 27001 certifications. Wormhole lists Google Cloud, BlackRock, Apollo, Janus Henderson, Flow Traders, VanEck, and AMD among its institutional users.
Conclusion
Cross-chain turned from an experimental feature into default infrastructure in under five years, and the hack record is the single most important thing a reader of a glossary entry should carry away. Chainalysis data shows approximately $2 billion stolen across thirteen bridge hacks by August of 2022, with bridges accounting for 69% of 2022 crypto theft and $1.98 billion of the $3.1 billion stolen from DeFi in full-year 2022. Theft has continued, with over $3.4 billion in total crypto losses recorded from January through early December of 2025 and North Korea attributed at least $2.02 billion for the year, per Chainalysis.
The pattern in the loss table is the practical lesson: bridges that concentrate custody behind a small external-validator set have absorbed most of the damage, while designs that verify source-chain state cryptographically (IBC) or split verification and execution across independent networks (CCIP, LayerZero V2) have so far avoided the same class of failure. The building blocks are converging on light-client and modular verification, and institutional pilots are pushing the same rails that retail users have been trusting for years.
