Blockchain Bridge Security Comparison: Trust Models and Track Records

Bridge Security Models Compared

Cross-chain bridges have become critical infrastructure for moving assets between blockchains, but they remain one of the most exploited components in crypto. Since 2022, bridge hacks have accounted for over 69% of total funds stolen in DeFi, with cumulative losses exceeding $2.8 billion from bridge exploits alone. Choosing the right bridge means understanding the trust model underneath it: who validates messages, what happens when validators misbehave, and how much capital is at risk.

This comparison covers six major bridge protocols: Wormhole, LayerZero (via Stargate), Axelar, Across, Hop, and their underlying security architectures. Each protocol makes different tradeoffs between decentralization, speed, and trust assumptions.

For a comparison of bridge fees rather than security models, see the bridge fee calculator.

Trust Model Architectures

Bridge security fundamentally comes down to who can authorize a cross-chain message and what happens if they act maliciously. There are four main architectural approaches in production today.

Multisig / Guardian Networks

Wormhole uses a permissioned set of 19 Guardian nodes operated by established validators such as Figment, Staked, and Everstake. Each Guardian runs full nodes for every supported blockchain. When a cross-chain message is emitted, Guardians independently verify the event and sign an attestation. Once 13 of 19 Guardians (a two-thirds supermajority) have signed, their signatures are aggregated into a Verifiable Action Approval (VAA) that the destination chain contract can verify on-chain.

The strength of this model is simplicity and speed. The weakness is that security depends on the honesty and operational security of a fixed set of known entities. If 13 Guardians are compromised, all funds are at risk. Wormhole mitigates this with a Global Accountant that tracks circulating supply across chains and a Governor that rate-limits suspicious outflows.

Configurable DVN Quorums (LayerZero)

LayerZero V2 introduced Decentralized Verifier Networks (DVNs) that separate message verification from execution. Instead of a fixed validator set, each application chooses its own DVN configuration using an X-of-Y-of-N framework. For example, a "2 of 3 of 5" configuration requires two specific DVNs plus any three from a pool of five to validate a message.

DVN operators range from Google Cloud and Chainlink to independent operators, with 43 DVNs supporting over 120 networks as of 2025. LayerZero partnered with Eigen Labs to create a CryptoEconomic DVN Framework where verifiers stake tokens and face slashing for dishonest behavior. The permissionless nature means that even if all existing DVNs fail, application developers can launch their own DVN and continue operating.

Delegated Proof-of-Stake (Axelar)

Axelar operates its own Layer 1 blockchain secured by Delegated Proof-of-Stake consensus using CometBFT. The top 75 validators (by delegated AXL stake) form the active set. Validators produce blocks, participate in multiparty signing, and vote on external chain states. Axelar uses quadratic voting: validators must increase their stake exponentially to gain additional voting power, preventing a few large stakers from dominating consensus.

The hub-and-spoke topology is a security advantage: problems on one connected chain can be contained without affecting others. Following the Cobalt upgrade in early 2025, base inflation was removed and gas fees paid in AXL are burned, tightening the economic security model. Circle acquired the Interop Labs team and IP in December 2025, though the AXL token and network remain under independent community governance.

Optimistic Verification (Across, Hop)

Across Protocol uses an intent-based architecture secured by UMA's Optimistic Oracle. A bonded relayer fulfills the user's transfer on the destination chain, then a dataworker submits a bundle of fulfilled intents to UMA for verification. A one-hour challenge window opens: if no one disputes the claim, it is accepted. If challenged, UMA's Data Verification Mechanism resolves the dispute through token-holder voting.

Hop Protocol takes a similar optimistic approach tailored to Ethereum Layer 2 rollups. Whitelisted Bonders front liquidity on the destination chain, and Challenge Watchers monitor for fraudulent activity. If a Bonder submits an invalid proof, they get slashed. The security of user funds ultimately inherits from the underlying rollup: the worst case is a temporary delay, not a loss of funds.

Major Bridge Security Incidents

The history of bridge exploits provides critical lessons about what goes wrong and which architectural choices are most vulnerable. The following table covers the largest bridge hacks by dollar value.

Several patterns emerge from these incidents. Compromised private keys were the attack vector in the Ronin, Harmony, and IoTeX hacks. Smart contract vulnerabilities enabled the Wormhole and Nomad exploits. Low-threshold multisigs (2-of-5, 5-of-9) were disproportionately targeted because fewer keys need to be compromised. The Lazarus Group (DPRK) was attributed to multiple attacks, with North Korean actors stealing at least $2 billion in crypto during 2025 alone according to Chainalysis.

Audit History and Security Practices

The number and rigor of security audits is one signal (though not a guarantee) of protocol maturity. Here is how each bridge compares on security practices:

• Wormhole has completed 29 third-party audits across its codebase. After the 2022 exploit, it deployed the Global Accountant, Governor rate-limiting, and a $10 million bug bounty on Immunefi. It was the only cross-chain protocol unconditionally approved by Uniswap's Bridge Assessment Committee.
• LayerZero publishes monthly security reports and maintains a $15 million bug bounty. Its V2 architecture has undergone audits from multiple firms. A dedicated security checklist exists for developers integrating LayerZero V2 cross-chain messaging.
• Axelar has maintained a clean exploit record with consistent third-party audits. Its DPoS model with quadratic voting is openly auditable on-chain, and validator behavior is transparent through the Axelarscan explorer.
• Across Protocol has been audited over 10 times by OpenZeppelin, which serves as UMA's primary security partner. The V4 upgrade adds ZK-proven settlement via Succinct zkVM as a secondary verification layer alongside the optimistic oracle.
• Hop Protocol was built by a team with auditing backgrounds (former auditors for dYdX, Augur, and Decentraland). The protocol uses non-custodial design with multi-signature contracts protected by timelocks.

How to Evaluate Bridge Security

When choosing a cross-chain bridge, evaluate these dimensions:

Validator threshold and diversity: how many independent parties must collude to steal funds? A 13-of-19 Guardian set (Wormhole) is stronger than a 2-of-5 multisig (the configuration that allowed the Harmony hack). Permissionless validator sets (Axelar, LayerZero DVNs) are generally more resilient than permissioned ones.

Economic security: is there staked capital that can be slashed? Axelar validators stake AXL tokens. LayerZero's CryptoEconomic DVN framework introduces slashing via EigenLayer. Optimistic bridges like Across require relayers to post bonds.

Track record: has the protocol been exploited? How did it respond? Wormhole's 2022 incident was fully covered by Jump Crypto, and significant security upgrades followed. Protocols with no exploits (LayerZero, Axelar, Across) have shorter or less battle-tested histories, which is a different kind of risk.

For related security comparisons across Layer 2 networks, see the Layer 2 security comparison tool.

The Case Against Bridging

Every bridge introduces trust assumptions that do not exist in native on-chain transactions. Even the most secure bridge adds counterparty risk: you are trusting validators, smart contracts, and operational security practices of a third-party protocol to safeguard your assets during transit.

This is why protocols like Spark take a different approach. Rather than bridging assets from Ethereum or Solana to Bitcoin, Spark operates natively on Bitcoin as a Layer 2 protocol. Assets like USDB exist on Spark without ever crossing a bridge, eliminating the entire class of bridge-related risks. For users who want stablecoin functionality on Bitcoin, native issuance avoids the trust assumptions, smart contract vulnerabilities, and validator collusion risks that bridges inherently carry.

The broader interoperability challenge remains unsolved: no bridge architecture has proven itself immune to exploitation. Zero-knowledge proofs are the most promising path toward trustless verification, with both Wormhole and Across integrating ZK-based settlement in recent upgrades, but the technology is still maturing.

Frequently Asked Questions

What is the safest blockchain bridge?

No bridge is provably safe. Wormhole has the longest track record by volume ($65B+ transferred) and was the only bridge unconditionally approved by Uniswap's security assessment. LayerZero has had zero core protocol exploits and offers the most flexible security configuration through its DVN system. Axelar provides a fully decentralized PoS validator set. Each protocol makes different tradeoffs, so "safest" depends on your specific trust assumptions and use case.

How much money has been stolen from bridge hacks?

Over $2.8 billion has been stolen from bridge exploits since 2022. The largest single incident was the Ronin Bridge hack ($624M in March 2022), followed by the BNB Bridge ($568M) and Wormhole ($326M). In 2025, cross-chain bridges were used to launder over $1.5 billion in stolen funds according to Hacken, even as bridge-specific exploit losses declined from their 2022 peak.

What is a bridge trust model?

A bridge trust model defines who validates cross-chain messages and what guarantees users have that validators will act honestly. The main models are: multisig/guardian networks (a fixed set of known validators), proof-of-stake (an open validator set with staked collateral), configurable verifier quorums (application-chosen verification sets), and optimistic verification (assume valid unless challenged within a dispute window). Each model has different failure modes and attack surfaces.

Are ZK bridges more secure than multisig bridges?

In theory, yes. ZK (zero-knowledge) bridges verify cross-chain messages using cryptographic proofs rather than trusting a set of validators. This removes the human element: security relies on math, not reputation. In practice, ZK bridge technology is still early. Wormhole has begun integrating ZK proofs to replace Guardian signatures for certain transfers, and Across V4 adds ZK-proven settlement via Succinct zkVM. Full ZK bridge verification at scale remains a work in progress.

Why are bridges the biggest target for crypto hackers?

Bridges are attractive targets because they hold large pools of locked liquidity (the assets backing wrapped tokens on destination chains) and introduce complex multi-chain logic that is difficult to audit exhaustively. A single vulnerability can drain assets across multiple chains simultaneously. The Chainalysis 2022 report found that bridge hacks accounted for roughly two-thirds of all DeFi theft that year.

What is the difference between LayerZero and Wormhole?

Wormhole uses a fixed set of 19 permissioned Guardians that must reach a 13/19 supermajority to validate messages. LayerZero uses a modular DVN system where each application configures its own verifier set from 43+ available DVNs. Wormhole has processed more lifetime volume ($65B+ vs $50B+) but experienced a $326M exploit in 2022. LayerZero has had no core protocol exploits but shifts security responsibility partly onto application developers, who must choose their DVN configuration wisely.

Can I avoid bridge risk entirely?

The only way to eliminate bridge risk is to use assets that are native to the chain you are operating on. For Bitcoin users, protocols like Spark issue assets natively on Bitcoin's Layer 2 without bridging from other chains. For Ethereum users, sticking to native ETH and ERC-20 tokens on Ethereum mainnet or its canonical rollup bridges (which inherit Ethereum's security) avoids third-party bridge risk entirely.

This tool is for informational purposes only and does not constitute financial or security advice. Bridge security data is based on publicly available information as of early 2026. Audit counts, TVL figures, and security architectures change frequently. Always verify current data on each protocol's official documentation before making bridging decisions.