Back to Flip

Bridges

Last updated May 17, 2026

Since 2021, cross-chain bridges have lost roughly $2.96B across 18 documented incidents. Most was never returned. The list is below, sorted by date, with the failure mode named for each.

The deeper point isn't that any individual bridge was badly engineered — many were audited, several were considered best-in-class at the time. The point is that every architecture in this list is structurally an IOU: a token on the destination chain that depends on someone, somewhere, continuing to honor the redemption on the origin chain. The category fails the way it does because the category is what it is.

Intent settlement is the alternative. Solvers post on-chain collateral to compete for fills; if a solver fails to deliver, the collateral is slashed. There is no token to mint, no validator set to compromise, no MPC ceremony to fall back to. Native asset on chain A, native asset on chain B, in one signature. The piece on this in long form is The Bitcoin Question.

$2.96B
Total lost
18
Incidents
$1.15B
Never recovered
$1000M
Fully returned

By year

USD at time of incident. 2022 carries the weight of the category — Ronin, Wormhole, Nomad, Harmony, BNB Token Hub all sit inside twelve months.

$0$520M$1.04B$1.56B$2.08B$641M2021$1.93B2022$325M2023$66M2024

By failure mode

The same four shapes, repeated. The taxonomy is editorial — pick the dominant failure mode of the specific incident.

Smart contract

$1.32B · 12 incidents

Permissionless code, no custody set. The attack surface is the code itself — verification bugs, deposit-accounting bugs, signature-replay bugs. Audits help; they don't finish the job.

Validator set

$724M · 2 incidents

N-of-M multisig of operator-held keys. Compromise enough keys, sign fraudulent withdrawals. Ronin and Harmony are the canonical failures.

Custodial

$699M · 2 incidents

A single operator (an exchange, a chain foundation) holds the keys. When the operator is compromised, or when the operator decides not to be honest, there is no recourse.

MPC custody

$212M · 2 incidents

Threshold-signature custody. The math is better than a plain multisig, but operationally still depends on a known set of signers staying honest and operational.

Every incident

Chronological, most recent first. Amount in USD at time of incident.

  1. Munchables (Blast L2)

    $63M
    26 Mar 2024Smart contractFully returned

    Rogue developer (hired anonymously by the Munchables team) inserted a backdoor in the bridge contract upgrade, then drained user funds. Funds were returned voluntarily after public pressure and on-chain doxxing within 24 hours.

    Primary source

  2. Socket

    $3M
    16 Jan 2024Smart contractPartially recovered

    Approval-router exploit in the Bungee aggregator's underlying Socket contract. Attackers drained tokens from users who had previously granted unlimited approvals to a now-vulnerable route. ~$2.3M returned by white-hat negotiation.

    Primary source

  3. Orbit Chain

    $82M
    31 Dec 2023MPC custodyNever recovered

    New Year's Eve exploit. Seven of ten multisig signers compromised in what Orbit described as a "sophisticated stealth attack." Investigators later linked the operation to Lazarus Group based on on-chain heuristics.

    Primary source

  4. Heco Bridge + HTX

    $113M
    22 Nov 2023CustodialNever recovered

    Heco (Huobi ecosystem chain) bridge and HTX hot wallets drained on the same day in apparently coordinated incidents. Heco bridge funds and HTX user funds had been operationally consolidated; both lost when the controlling keys were compromised.

    Primary source

  5. Multichain

    $130M
    6 July 2023MPC custodyNever recovered

    Funds drained from Fantom, Moonriver, and Dogechain bridge contracts after the CEO ("AnySwap" Zhaojun) was reportedly detained by Chinese authorities, with all MPC private keys allegedly under his sole control. Bridge had operated on this single-point-of-failure for years.

    Primary source

  6. Allbridge

    $570k
    1 Apr 2023Smart contractPartially recovered

    Flash-loan-driven price-oracle manipulation on the BNB Chain pool. Notable not for size but for the response — the attacker returned ~$1.5M after Allbridge offered a public white-hat bounty.

    Primary source

  7. BNB Chain Token Hub

    $586M
    7 Oct 2022CustodialPartially recovered

    Forged Merkle proof against the IAVL tree minted 2M BNB out of thin air. Binance validators halted the chain within hours; ~$100M actually exited before the freeze. Public chain halt was itself a story — only possible because BNB Chain is operationally centralised.

    Primary source

  8. Nomad Bridge

    $190M
    1 Aug 2022Smart contractPartially recovered

    A routine upgrade marked the zero hash as a valid trusted root. Any message with no proof became accepted. Once one user noticed, hundreds of copycat addresses replayed the same call with their own addresses substituted — a "decentralised" exploit, free-for-all on-chain for hours.

    Primary source

  9. Harmony Horizon Bridge

    $100M
    23 June 2022Validator setNever recoveredLazarus Group (DPRK)

    Two of five multisig keys compromised. Three months after Ronin, same playbook, same threat actor, smaller signer set. The post-mortem proposed a 4-of-5 upgrade — too late.

    Primary source

  10. Optimism / Wintermute

    $15M
    9 June 2022Smart contractPartially recovered

    A user sent 20M OP tokens to a multisig address that had not yet been deployed on Optimism. An attacker deployed a contract at the same address first and claimed 1M OP. Wintermute negotiated partial return; the rest was sold.

    Primary source

  11. Ronin Bridge

    $624M
    23 Mar 2022Validator setNever recoveredLazarus Group (DPRK)

    Five of nine validator keys compromised — four belonging to Sky Mavis and one to Axie DAO. Attackers signed fraudulent withdrawal proofs. Discovered six days after the fact when a user reported a failed withdrawal.

    Primary source

  12. Meter.io

    $4M
    5 Feb 2022Smart contractNever recovered

    Custom modification of ChainBridge code skipped a deposit-value check on wrapped-native transfers. Three days after the much larger Wormhole incident — a quiet exploit on a fork of an audited bridge.

    Primary source

  13. Wormhole

    $326M
    2 Feb 2022Smart contractFully returned

    Signature-verification bypass in the Solana bridge contract let the attacker forge a guardian-signed message minting 120k wETH on Solana without locking any ETH on Ethereum. Jump Crypto restored the bridge from its own treasury within 24 hours to preserve solvency.

    Primary source

  14. Qubit Finance (QBridge)

    $80M
    27 Jan 2022Smart contractNever recovered

    Deposit function failed to validate that the deposited token was not the zero address. Attacker called deposit with a zero-address token, was credited with "deposited" qXETH, and minted unbacked collateral against it on the BSC side.

    Primary source

  15. pNetwork

    $13M
    19 Sept 2021Smart contractNever recovered

    Bug in pBTC-on-BSC contract let an attacker forge mint events. pNetwork covered the loss from its treasury rather than make users whole via socialised loss — a pattern more bridges should have copied.

    Primary source

  16. Poly Network

    $611M
    10 Aug 2021Smart contractFully returned

    Privilege-escalation in the EthCrossChainManager contract let the attacker arbitrarily change the keepers. Funds were returned by "Mr. White Hat" over the following two weeks. Largest single-day crypto exploit at the time.

    Primary source

  17. THORChain (combined incidents)

    $13M
    23 July 2021Smart contractPartially recovered

    Two separate exploits within weeks — $5M then $8M — both via faked Ethereum router deposits that THORChain credited as real. Triggered the multi-month "Klingon" rewrite of the deposit accounting layer.

    Primary source

  18. ChainSwap (twice)

    $4M
    10 July 2021Smart contractNever recovered

    Exploited twice in eight days. First incident was a smart-contract permission flaw; second was a signature-replay bug. The double-hit forced affected token projects to redeploy at new contract addresses.

    Primary source

Methodology. Each incident is counted once, USD-denominated at time of exploit (not today's prices). "Recovered" is full restitution to users — treasury bailouts (Wormhole, pNetwork) count as recovered for user-impact purposes even though the protocol absorbed the loss. Includes only bridges where the failure mode was tied to the cross-chain architecture itself; pure DEX exploits and wallet compromises that happened to touch a bridge are excluded.

Corrections. If an entry is wrong or an incident is missing, use the contact form and pick the "Bug report or correction" category. Primary-source URLs are preferred over secondhand reporting.