Talk to us

All services Bridge Audit

Bridge Audit

Operational and custodial review of cross-chain bridging: validator set, upgrade authority, custody model, pause procedures.

Cross-chain bridges concentrate unusual amounts of value and have produced some of the largest losses on record. Ronin Bridge lost $625 million in March 2022, Wormhole lost $325 million in February 2022, Nomad lost $190 million in August 2022, Poly Network lost $611 million in August 2021. Collectively, cross-chain bridge exploits account for over $2 billion in cumulative losses, tracked by Chainalysis in its recurring cross-chain bridge reports. The losses rarely come from the cryptography. They come from multisig quorum drift, validator set compromise, upgrade-key misuse, and the off-chain operational practices around who can authorize what. Smart contract audits cover the bridge code. We audit the operational design around it.

The operational surface

  • Custodial design. Lock-and-mint, burn-and-release, liquidity-pool, or optimistic bridging models each have a distinct risk profile. Identify which model the bridge uses and what the documented controls assume about adversaries.
  • Validator and relayer set. Who signs, under what quorum, how membership changes, and what happens if a threshold of signers goes offline or is compromised.
  • Upgrade and admin keys. Who holds them, under what controls, with what evidence of usage (and non-usage). Same standard we apply to custody platforms (see CCSS Audit & Readiness).
  • Operational runbooks. Pause procedures, rollback procedures, and whether they have been exercised under realistic conditions, not just documented.
  • Asset representation. Whether the wrapped asset on the destination chain is provably backed 1:1 with the locked asset on the source chain, at every moment, under every failure mode.
  • Third-party dependencies. Relayers, oracles, monitoring infrastructure, and what happens when any one of them fails.

What we assess

We review the bridge’s operational design against the question an institutional user would actually ask: if something goes wrong, what is the recovery path, who can execute it, and what evidence is there that they have done so before? We evaluate the custody model, the key ceremony around upgrade and admin authority, the validator set governance, and the gap between documented runbooks and exercised ones. Chainlink’s published analysis of seven key cross-chain bridge vulnerabilities is a useful reference for the failure modes that should be in scope.

What you get

A report structured around the bridge’s operational lifecycle, with severity-graded findings on custody, validator-set governance, upgrade authority, and incident-response readiness. Specific recommendations on which controls to tighten before scaling, and which scenarios to exercise.

We do not audit smart contract code; pair this work with a smart contract audit from a firm that does (Trail of Bits, Halborn, OpenZeppelin, others).

Who this is for

  • Bridge operators seeking independent operational assessment, often alongside smart contract audit work.
  • Protocols integrating a bridge as part of their core infrastructure.
  • Allocators and institutional users evaluating exposure to bridged assets. Bridge risk is often the missing surface in a broader Operational Due Diligence engagement.
  • Custody providers and exchanges assessing which bridged representations to support.
  • Stablecoin issuers whose tokens travel across chains via bridges; the operational risk of the bridges directly affects the integrity of the wrapped asset (see Stablecoin Operations).

When to engage

  • Before launching a bridge or a major version upgrade.
  • Before integrating a bridge into a workflow your users depend on.
  • When a bridge’s validator set, upgrade authority, or custody model has changed.
  • When the amount of value transiting the bridge has grown past the point the original operational design contemplated.

Frequently asked questions

Why isn't a smart contract audit enough for a bridge?

Bridges concentrate unusual amounts of value behind operational decisions, not just code. The Ronin Bridge hack ($625 million, March 2022) succeeded because attackers compromised 5 of 9 validator keys, a quorum failure with no smart-contract vulnerability. Wormhole ($325 million, February 2022), Nomad ($190 million, August 2022), and Poly Network ($611 million, August 2021) had similar operational root causes: signing-key compromise, upgrade-authority misuse, validator-set governance. Smart contract audits cover the bridge's code; operational audits cover everything else.

How do you audit a cross-chain bridge's validator set?

We assess validator selection criteria, signing thresholds, key-custody arrangements for each validator, the documented procedure for adding or removing validators, and on-chain evidence that the documented procedures match actual operations. We then evaluate failure modes: what happens if a threshold of validators goes offline, is compromised, or colludes.

What did Ronin, Wormhole, and Nomad miss operationally?

Ronin: a 5-of-9 validator quorum with insufficient key-custody segregation, compromised via social engineering. Wormhole: signing-key handling exposed through a deprecated authority. Nomad: an initialization error in a contract upgrade left the bridge effectively unsecured. All three were operational failures around governance, key handling, or upgrade procedures, not failures of the underlying cryptography.

Who should review a bridge before it launches?

Smart contract auditors (Trail of Bits, Halborn, OpenZeppelin, others) for the code. We do the operational design assessment around it: custody model, validator-set governance, upgrade-key controls, pause and rollback procedures, third-party dependencies. The two together cover the bridge's full attack surface.

How long does a bridge audit take?

Four to ten weeks from kickoff, depending on the bridging model (lock-and-mint, burn-and-release, optimistic, liquidity-pool), the size of the validator set, and the maturity of the operational documentation. Re-audits for upgrades or new asset support typically run two to four weeks.

What are the most common bridge attack vectors?

Compromised validator or relayer keys, upgrade-authority misuse, insufficient quorum, oracle manipulation, off-chain operational mistakes during initialization, and third-party dependencies that fail under adversarial conditions. Chainlink's published analysis of seven key cross-chain bridge vulnerabilities is a useful reference. Chainalysis has tracked over $2 billion in cumulative bridge-exploit losses across named incidents.

Scope a Bridge Audit engagement

Every engagement starts with a scoping call about what you're trying to assure and who you need to assure it to.

Prefer to schedule directly? Book a call