Review of the Top 10 Historical Cross-Chain Bridge Hacks: What Pitfalls Users Should Avoid

If cross-chain bridges are the highways of DeFi, they are also the largest "accident scenes" in DeFi history. From 2021 to 2024, the total amount stolen from cross-chain bridges exceeded $3 billion. These events are not abstract technical terms; behind them are lessons that ordinary users can refer to. This article reviews several of the most classic bridge hack cases. Account preparation: Binance Official Site, Binance Official APP, iOS Installation Guide.

1. Ronin Bridge (March 2022, $625 Million)

The Incident

Axie Infinity's own Ronin bridge used a 9-validator multisig. The attacker obtained 5 of the private keys through social engineering and signed out a massive withdrawal.

Lessons Learned

• Multisig threshold too low: A 5-of-9 setup equals a 55% threshold, broken as soon as phishing succeeds.
• Concentrated validators: 5 keys were controlled by a single company, Sky Mavis.
• Lack of on-chain monitoring alerts: It took 6 days to discover the $625 million had left.

What Users Should Do

• Choose bridges with a threshold of 7-of-10 or higher, where validators consist of multiple institutions.
• Monitor the bridge's real-time on-chain TVL dashboard.

2. Wormhole (February 2022, $326 Million)

The Incident

The Solana ↔ ETH bridge contract had a signature verification vulnerability. The attacker forged an "approved" message and minted 120,000 wETH out of thin air.

Lessons Learned

• Signature verification code bug: An upgrade missed checking a deprecated function.
• Audit did not cover this path: The audit report marked this module as "low risk."

What Users Should Do

• Pay attention to all modules marked as "deprecated" in audit reports.
• Do not use a bridge within 1 week of an upgrade.

3. Nomad (August 2022, $190 Million)

The Incident

After a contract upgrade, the default root value became all zeros, allowing anyone to forge an authenticated message and withdraw funds. Once discovered, it turned into an "on-chain free-for-all" with hundreds of wallets jumping in to loot.

Lessons Learned

• Initialization error: The root value was not set after the upgrade.
• Mass looting: The open-source code was immediately copied for attacks.

What Users Should Do

• Wait and see for the first week after a bridge upgrade.
• Set up alerts for abnormal TVL drops.

4. Harmony Horizon (June 2022, $100 Million)

The Incident

A 2-of-5 multisig setup. The attacker cracked it upon obtaining just 2 private keys.

Lessons Learned

• Severely inadequate multisig threshold.
• Careless private key custody: Developers stored them in plaintext.

What Users Should Do

• Blacklist bridges with small-threshold multisigs like "2-of-5" or "3-of-5" immediately.

5. Multichain (Anyswap) (July 2023, $126 Million)

The Incident

The CEO lost contact and was accused of holding the private keys to all the bridges. The funds were misappropriated all at once.

Lessons Learned

• Extreme centralization: Multisig on the surface, but a single point of control in reality.
• Opaque team: The CEO's true identity was blurry.

What Users Should Do

• Choose bridges with public teams and decentralized custody of private keys.
• Do not leave funds overnight in centralized bridges.

6. Poly Network (August 2021, $600 Million, Later Returned)

The Incident

A vulnerability in contract permission validation was exploited, allowing the attacker to bypass signatures and directly call the withdrawal function. The attacker later returned the funds.

Lessons Learned

• Lack of multiple validations for major permission functions.
• White hat vs. black hat involves a lot of luck—you might not be so lucky next time.

What Users Should Do

• Choose bridges that have timelocks for permission calls.

7. Qubit Bridge (January 2022, $80 Million)

The Incident

The deposit contract lacked a zero-address check. The attacker used a 0x000... wallet to fake a deposit, receiving BSC-side wETH out of thin air.

Lessons Learned

• Missed audits on boundary conditions.

8. Ronin (Hacked Again in 2024, $12 Million)

The Incident

Two years later, another incident occurred because a newly deployed Gas-free RPC node leaked its private key.

Lessons Learned

• A project stepping into a massive pit once does not guarantee it will be safe the second time.
• Continuously monitor the latest audit updates.

9. Orbit Chain (January 2024, $82 Million)

The Incident

Three out of 7 multisig validators signed suspicious transactions, raising suspicions of an insider job.

Lessons Learned

• Insider risks can never be ignored.
• Multisig ≠ Secure.

10. Other Small Bridge Rug Pulls

Every year, a few new bridges issue tokens, launch for a while, and suddenly rug pull. Common traits:

• Anonymous teams.
• Fake audit reports.
• TVL pumping and dumping rapidly.

11. Comprehensive Lessons: 7 Iron Rules for Users

1. Do not park large amounts of funds in bridge contracts long-term.
2. Multisig thresholds must be high enough (≥ 7-of-10).
3. Decentralized validators (multiple institutions).
4. Prioritize light client/ZK-verified bridges.
5. Audited by ≥ 2 firms with no unpatched High-risk vulnerabilities.
6. Watch out for on-chain TVL anomalies.
7. Wait and see for 1 week after a bridge upgrade.

12. Final Thoughts

The essence of bridge hacks is almost never "brand new attacks," but repeated recurrences: multisig private key leaks, initialization errors, signature verification vulnerabilities, and insider malice. Treat these ten cases as a "negative example checklist." Cross-checking them one by one the next time you evaluate a bridge can help you avoid 90% of the pitfalls.