Intent settlement vs bridges, in plain English

Every "cross-chain swap" you've done since 2022 used one of two architectures underneath. Most people don't know which one, because the UIs all look the same. They're not the same. One has lost $2.5 billion to hacks since 2022. The other is new enough that almost no one writes about it.

This post is the architectural background. No code, no whitepapers — just the mental model.

The thing both architectures are trying to do

You have token X on chain A. You want token Y on chain B. Chain A and chain B don't talk to each other natively — Ethereum can't send a message to Bitcoin, Bitcoin can't read Solana state. Each chain is its own sealed universe.

So you need a third party that can see both chains and move value between them. The question is: what kind of third party, and what gives you confidence it won't run off with your funds?

Architecture 1: Bridges (lock-and-mint)

This is the dominant model. It works like this:

You send your token X to a smart contract on chain A called "the bridge." The bridge locks your X. Some entity watching both chains (could be a multi-sig, an MPC committee, a set of validators) sees the lock and tells chain B about it. A corresponding wrapped token — let's call it w(X) — gets minted on chain B and sent to your address.

The wrapped token is 1:1 backed by the locked original. If you ever want your X back, you burn w(X) on chain B and the bridge unlocks your X on chain A.

Most cross-chain swap UIs add a swap step at the end: after you have w(X) on chain B, swap it on a DEX for token Y. The UI hides the wrap step from you, but it's there.

Why bridges keep getting hacked

The locked X has to be guarded by something. That something is the attack surface.

Wormhole (Feb 2022, $325M lost) — exploited a signature validation bug to mint w(ETH) on Solana without locking ETH on Ethereum.

Ronin (Mar 2022, $625M lost) — the multi-sig had 9 validators; the attacker compromised 5 of them.

Nomad (Aug 2022, $190M lost) — a code change made it possible to spoof any message as having been verified.

Multichain (Jul 2023, $130M lost) — the CEO controlled the private keys; he was arrested and the funds were frozen beyond recovery.

Same pattern every time: there's a locked treasury, and the security depends entirely on whoever guards it. If the guardian is compromised, the treasury is drained.

Architecture 2: Intent settlement (solver networks)

This is the newer model. Different shape entirely.

Instead of locking your X in a shared treasury and minting wrapped versions, the protocol broadcasts your intent: "I have X on chain A, I want Y on chain B, I'll accept at least this price, here's the deadline."

Independent parties called solvers see the intent. Each solver decides whether they can fill it profitably. If yes, they front the Y on chain B to you out of their own inventory, and they claim the X you deposited on chain A.

The crucial part: the solvers don't custody anything shared. Each solver uses their own capital. The protocol enforces that the solver only gets paid the X after the Y has landed in your wallet. Solvers also post collateral that gets slashed if they fail to deliver.

Why this is structurally different

No shared treasury. There's nothing for hackers to drain because no single contract holds everyone's funds. If you attack solver Alice's inventory, you steal Alice's money — not everyone's. The blast radius is bounded.

The trust assumption shifts from "is the bridge's custody secure?" to "is the solver collateral economics sound?" That's a different question, and in many ways an easier one to verify. Collateral can be checked on-chain in real time; bridge security has to be assumed until it's broken.

The honest tradeoffs of intent settlement

Intent settlement isn't free magic. The real downsides:

It's newer. Bridges have been deployed at scale since 2020-2021. Intent settlement protocols have only been running at meaningful volume since 2024-2025. The economic models, slashing mechanisms, and adversarial conditions are less battle-tested.

Liquidity depends on solver participation.If there aren't enough solvers competing for a corridor, prices get worse. Bridges with deep TVL can route huge size; intent networks need active solvers on both sides to scale.

MEV is different but not eliminated. Solvers can theoretically collude or front-run; the protocol design has to prevent this through ordering and commitment mechanisms. Different design space, same underlying problem.

Which protocols use which

Bridge-based (what most cross-chain UIs route through): Across, Wormhole, LayerZero, Connext, Stargate, Synapse, Hop, Multichain (defunct). Cross-chain aggregators like Jumper / LI.FI / Squid / Bungee route through these bridges under the hood.

Intent-based(no shared treasury): CoW Swap (EVM-only), UniswapX (EVM-only), 1inch Fusion (EVM-only), NEAR Intents (multi-chain including Bitcoin). THORChain uses a related-but-different MPC vault model that's also non-bridge.

Why this matters for Bitcoin specifically

Bitcoin can't run smart contracts the way Ethereum can. That makes Bitcoin uniquely hard to bridge. Every "BTC bridge" you've seen — WBTC, BTCB, cbBTC — is really a centralized custodian: BitGo, Binance, or Coinbase holds the actual BTC, mints an ERC-20 IOU, and you trust them to redeem it back to native BTC.

Intent settlement sidesteps this. A Bitcoin-aware solver holds native BTC inventory and trades it directly against other chains. No wrap, no centralized custodian — just a solver willing to fill your BTC-to-USDC order using their own BTC, claiming your USDC in return.

This is the wedge Flip cares about. It's genuinely different from the wrapped-BTC status quo, and the non-custodial story is what makes Bitcoin-native users care.

The bottom line

Bridges have a structural attack surface that intent settlement doesn't. That doesn't make bridges bad — for many corridors they're still the right tool, especially for high-volume EVM-to-EVM routes where bridge liquidity is deep. But for Bitcoin specifically, and for anyone who wants to minimize the "is the shared treasury going to get drained this year?" risk, intent settlement is a real alternative.

Flip uses intent settlement via NEAR Intents. /trust has the user-facing mechanism; this post is the architectural why.