Cross-chain bridges remain the soft underbelly of DeFi. Since January 2025, bridge-related exploits have accounted for over $140 million in losses. The CrossCurve hack ($3M, February 2026), the Resolv Protocol breach ($25M, March 2026), and a string of smaller incidents share common root causes that are entirely preventable.
This article distills seven concrete security practices from recent bridge exploits. Whether you're building a bridge, auditing one, or integrating with one as a protocol, this checklist should be on your wall.
1. Gateway Validation Is Not Optional
The CrossCurve Lesson ($3M, Feb 2026)
CrossCurve's ReceiverAxelar contract had one job: verify that incoming messages actually originated from the Axelar gateway. It failed. The contract's expressExecute-like functions accepted crafted messages that bypassed gateway validation entirely, allowing an attacker to instruct the PortalV2 contract to unlock tokens at will.
Checklist Item: Every function that processes cross-chain messages MUST validate the message origin against the bridge's gateway contract as the very first check.
2. Defense-in-Depth for Message Authentication
Layer multiple authentication mechanisms: gateway signature verification, source chain/address allowlisting, nonce tracking for replay protection, and rate limiting. CrossCurve used Axelar, LayerZero, and its own oracle network but the validation gap in a single receiver contract undermined everything.
3. Separate Custody from Message Processing
Don't let a single contract both validate messages and control fund release. Use: Receiver (validates) -> Governor/Timelock (authorizes) -> Vault (releases). Even if a receiver is compromised, the attacker still needs to bypass the governor's logic.
4. Off-Chain Infrastructure Is Part of Your Attack Surface
The Resolv Lesson ($25M, Mar 2026): The attacker compromised a private key through the off-chain key management service, minting 80M unbacked USR tokens from 200K USDC. Use HSMs/MPC wallets. Implement key rotation. Put minting behind timelocks and multisigs.
5. Invariant Monitoring, Not Just Access Controls
Access controls answer "who can call this?" Invariant monitoring answers "is the system still valid?" Track: conservation of value, collateral ratios, rate bounds, and balance consistency both on-chain and via off-chain circuit breakers.
6. Circuit Breakers Are Non-Negotiable
Auto-pause on: volume spikes (3x 7-day average), large single transfers (X% of TVL), rapid sequential drains, and oracle deviations. CrossCurve's multi-chain drain could have been limited if a breaker triggered after the first chain was exploited.
7. Audit the Integration, Not Just the Contracts
The CrossCurve hack was in how they integrated with Axelar, not in Axelar's code. Audit every receiver/adapter, the interaction flow between components, upgrade paths, error handling, and the full message lifecycle.
Pre-deployment Checklist
- All cross-chain handlers validate gateway origin
- Source chain + address allowlists configured
- Replay protection implemented
- Rate limits set based on expected volume
- Circuit breakers tested with thresholds
- Invariant checks cover conservation of value
- Off-chain key management uses HSM/MPC
- Admin functions behind timelocks
- Integration contracts in audit scope
- Monitoring covers all chains
Build bridges like they're the highest-value target in your protocol. Because they are.
DreamWork Security publishes weekly research on smart contract vulnerabilities and DeFi security best practices.
Top comments (0)