A bridge is a protocol that moves assets between two blockchains that cannot natively talk to each other. You lock your ETH on Ethereum, the bridge mints an equivalent amount of “bridged ETH” on a different chain (say, Arbitrum or Solana), and you can now use those tokens over there. Run the process in reverse to get your original ETH back. That is the idea.
The reason bridges exist is that blockchains are genuinely separate systems. Bitcoin has no idea that Ethereum exists. Ethereum has no idea that Solana exists. If you want to use your Bitcoin on a DeFi protocol that only runs on Ethereum, something somewhere has to custody the real Bitcoin and issue a representation of it on the other chain. Bridges are the machinery for doing that. WBTC (Wrapped Bitcoin) on Ethereum is the oldest and most successful example β a BitGo custodian holds the real BTC, and a smart contract on Ethereum issues WBTC tokens that track it 1:1.
Native bridges (e.g. Arbitrum’s own bridge from Ethereum to Arbitrum) are run by the Layer 2 project itself and inherit their security from the underlying rollup. Third-party bridges (Wormhole, LayerZero, Axelar, deBridge) sit between arbitrary chain pairs and rely on their own validator sets, multisigs, or relay networks to confirm that assets have been locked on one side before they mint them on the other.
Why So Many of Them Get Hacked
Bridges are the weakest link in crypto security. The Ronin bridge lost $625 million in March 2022 when five of nine validator keys were compromised. Wormhole lost $325 million in February 2022 through a signature verification bug. Nomad lost $190 million in August 2022 when a buggy upgrade let anyone drain the contract. Harmony’s Horizon bridge, Qubit, Multichain, Poly Network β the list goes on. Several billion dollars have been stolen from bridges since 2021, which is more than any other category of DeFi exploit.
The fundamental problem is that bridges concentrate value. If a bridge holds $500 million of locked tokens and the attacker finds a single way to trick the contract into releasing them, they can drain the whole thing in one transaction. There is no gradual discovery or partial loss. It is either fine or catastrophic. Combine that with the complexity of the cross-chain logic and the fact that most bridges rely on relatively small validator sets, and you have an attack surface that has proven very hard to secure.
For ordinary users, the practical advice is: use the native bridge of a Layer 2 if you can (it usually inherits the security of the rollup itself), prefer bridges that have been audited and running for years without incident, and do not bridge more than you can afford to lose on any given route. The word “bridge” is doing a lot of work in crypto, and the risk profile varies enormously between a native rollup bridge and a randomly deployed cross-chain router.