Pomegra Wiki

Bridge Protocol: How Cross-Chain Bridges Work

A bridge protocol locks your asset on one blockchain and mints an equivalent token on another, letting you move crypto between separate networks. The core mechanics are straightforward, but the security model—who holds the keys, how they validate transfers, and what happens if validators fail—determines whether a bridge merely shifts risk or actively creates it.

How the Basic Bridge Mechanism Works

Imagine you hold ether on Ethereum but want to use it on Arbitrum. A bridge doesn’t teleport assets; it freezes one and creates a stand-in on the other.

Here’s the flow: You send your ether to a bridge contract on Ethereum. The contract locks it (or, less securely, stores it with a custodian). On the other side, software observing Ethereum’s chain sees the lock and instructs the Arbitrum contract to mint an equivalent “wrapped ether” token for you on Arbitrum. You now hold wETH-Arbitrum, which represents your frozen ether. When you want out, you burn the wrapped token on Arbitrum, and the bridge releases your original ether on Ethereum.

The challenge isn’t the lock-and-mint plumbing; it’s trust. Something must confirm that the lock actually happened before minting the stand-in. That something is the bridge’s validator set, and how it works defines whether the bridge is secure or brittle.

Validator-Based Bridges and the Honesty Assumption

Most bridges rely on a set of validators—software nodes or a committee of custodians—to attest that a lock has occurred. When you send funds, validators on the destination chain observe the source chain and sign a message confirming the lock. Once a threshold of validators agree (often a simple majority, sometimes 2/3 or higher), the contract mints the wrapped token.

This design is fast and flexible but depends entirely on the validators staying honest. If 51% of validators collude, they can mint wrapped tokens without corresponding locks, inflating the bridge and stealing collateral. If a bridge validator set is a small trusted group (like a 5-person committee run by the bridge company), the trust model is thin—you’re betting the company won’t steal. If validators are decentralized and economically incentivized to stay honest through slashing, the risk spreads, but a determined attacker with enough capital can still bribe or hack a majority.

Liquidity Pools and the AMM Alternative

Some bridges use a different model: a liquidity pool on each chain holds assets, and swaps mediate transfers. You deposit ether into an Ethereum pool and withdraw wETH from an Arbitrum pool. The bridge doesn’t lock anything; it uses arbitrage to keep the exchange rates aligned. This avoids the need for validators to attest to anything but introduces liquidity risk—if one pool runs dry, transfers become expensive or impossible.

This approach works well for stable, high-volume pairs but requires real capital on both sides. Smaller or newer chains often can’t attract enough liquidity, making the validator model the only option.

Optimistic vs Cryptographic Proofs

A third design principle affects security: does the bridge verify transactions optimistically or cryptographically?

An optimistic bridge assumes transfers are valid unless someone proves otherwise. A validator posts a claim (“User X locked 10 ether”), and if no one disputes it within a challenge period, the wrapped tokens mint. This is cheap and fast but gives attackers a grace period to exploit. If they post a false claim and disappear, honest challengers must still convince the on-chain contract they were wrong—a burden that requires capital and legal clarity about who arbitrates.

A cryptographic bridge demands proof of the source chain’s transaction before minting. For instance, a validator posts a proof-of-work from Ethereum (a bundle of block headers proving consensus) alongside the transaction, and the destination contract verifies it. This is more expensive and slower but removes the challenge period and the assumption of ongoing validator honesty. Bitcoin bridges and some Ethereum-Solana bridges use this approach.

Risks and Trade-Offs

No bridge is costless. The trade-offs are stark:

Custodial bridges (assets held by a company) are easy to use but offer the weakest security. If the custodian is hacked or decides to exit-scam, funds vanish. Examples include early Wrapped Bitcoin (WBTC) and some centralized exchange bridges.

Federated bridges (small trusted validator set) are faster and cheaper than decentralized ones but concentrate risk. Thorchain and some private bridges operate this way.

Decentralized validator bridges (large, incentivized validator set) spread risk but introduce coordination and game-theory risks. Validators may front-run users, and bribing 51% is expensive but not impossible if the bridge’s total value exceeds the validator bond pool.

Light-client and proof-based bridges (cryptographic verification) are the most trustless but consume enormous gas and require frequent updates of the source chain’s state to the destination. They’re slow and expensive at scale.

Capital and Economics

A bridge that locks real collateral (say, actual ether held in a contract) can only mint an equal amount of wrapped tokens. If a lock mechanism fails—due to a bug or a hacker—the wrapped token becomes under-collateralized. Honest bridges monitor this and pause minting. Dishonest ones don’t, and the wrapped token can trade at a discount to the real asset.

Most bridges also charge fees: a percentage of the transfer, a fixed amount per transaction, or a spread on the swap rate. These fees fund validator operations and liquidity provision. If fees are too low, the bridge becomes uneconomical; if too high, users switch to cheaper routes (like a centralized exchange) or accept the risk of waiting on a slower bridge.

Cross-Chain Bridge Risks in Context

The bridge space has seen major hacks: Nomad ($190 million), Poly Network ($611 million), Wormhole ($325 million). In each case, a validator or proof mechanism failed—either a single validator key was compromised, logic bugs allowed unauthorized minting, or an oracle feed was manipulated. Even seasoned security teams struggle to get bridges right.

For a user, the calculus is simple: trust the bridge or find a different route. Decentralized bridges with diverse validators and long-term incentive structures (like Stargate or LayerZero when fully decentralized) lower risk compared to three-person federation, but all bridges remain riskier than holding native assets on their original chain.

See also

  • Wrapped Tokens and Asset Representation — How bridges create interoperable versions of assets
  • Blockchain Fundamentals — The underlying chain architecture bridges connect
  • Cryptocurrency Exchange — Alternative to bridges for moving between chains
  • Distributed Ledger — The consensus mechanisms bridges must trust or verify

Wider context

  • Ethereum — A major source and destination for cross-chain bridges
  • Smart Contract — The code that locks and mints tokens
  • Oracle Problem — Why external data entry is a bridge’s core vulnerability
  • Systemic Risk — Cascading failures when bridges fail at scale