The multisig is the root. Every canonical bridge, from Arbitrum to Optimism, is secured by a multisig controlled by the founding team or foundation. This is a custodial bottleneck that cannot be upgraded away without a hard fork of the L2 itself.
insurance-in-defi-risks-and-opportunities
Blog
Why Trust-Minimized Bridges Are Still a Custodial Compromise
A first-principles breakdown exposing how all cross-chain bridges, from optimistic to ZK models, ultimately rely on a trusted set of actors or economic assumptions, creating systemic risk.
introduction
THE CUSTODIAL REALITY
The Bridge Trust Fallacy
Even 'trust-minimized' bridges like Across and Stargate rely on a core set of centralized validators, creating a systemic risk that is often mispriced.
Third-party bridges add layers, not removal. Protocols like LayerZero and Wormhole use external validator sets (Oracles, Guardians). This shifts but does not eliminate trust, creating a new attack surface that is less scrutinized than the L1 consensus.
Proof-of-Stake is not trustless. Bridges using staking slashing, like Across, still depend on a watchdog committee to attest to fraud. This is a social consensus layer that can fail under extreme network conditions or coercion.
Evidence: The Nomad bridge hack exploited a single faulty upgrade, proving that upgradeability mechanisms are the ultimate backdoor. The $190M Wormhole exploit targeted the centralized guardian signature verification.
key-insights
WHY TRUST-MINIMIZED BRIDGES ARE STILL A CUSTODIAL COMPROMISE
Executive Summary: The Three Hard Truths
The industry's shift from multisigs to 'light clients' and 'optimistic' models has created a false sense of security, masking fundamental custodial risks.
01
The 'Light Client' Fallacy
Projects like Axelar and LayerZero market their 'decentralized verifier networks' as trustless, but they rely on a permissioned set of validators with billions in TVL at stake. The security model is not the underlying chain's, but the economic security of a new, untested cryptoeconomic system.
- Key Risk: Validator set collusion or slashing failure.
- Reality: You're trusting a new, smaller set of actors, not Ethereum's consensus.
13-100
Validator Count
$1B+
Stake at Risk
02
The Liquidity Layer is Always Custodial
Even with a perfect trustless message layer (e.g., IBC), moving native assets requires a liquidity pool. Bridges like Across and Stargate use LP models where funds are custodied in a smart contract controlled by the bridge's governance—a single point of failure.
- Key Risk: Governance attack or contract bug drains all pooled liquidity.
- Reality: Your 'trust-minimized' bridge holds your funds in a massive, centralized vault.
$2B+
Pooled TVL
7-28 Days
Gov Attack Delay
03
Optimistic Models = Centralized Liveness Assumption
Systems like Nomad (pre-hack) and Across use fraud proofs with a challenge period. This assumes at least one honest watcher exists and is actively monitoring to submit a proof. In practice, watchdogs are often the bridge's own team or a small set of incentivized parties.
- Key Risk: Liveness failure; no honest actor is watching when fraud occurs.
- Reality: You're trusting the operational security and vigilance of a centralized entity.
20-30 min
Challenge Window
~0
Public Challenges
thesis-statement
THE CUSTODIAL REALITY
The Trust Funnel Thesis
All current cross-chain bridges, including optimistic and intent-based models, ultimately compress user trust into a single, vulnerable point of failure.
Trust is never eliminated, only compressed. Every bridge, from Stargate's LayerZero to Across's optimistic model, funnels user trust into a final custodian. This is the trust-minimization fallacy; you trade many validators for one committee or a single oracle network.
Intent-based architectures like UniswapX or CowSwap shift the trust, not remove it. They rely on a centralized solver network to fulfill cross-chain intents. The user's trust transfers from bridge validators to the solver's ability and incentive to execute correctly.
The security floor is the weakest link. A bridge secured by a 10-of-15 multisig is only as strong as the 10th signer's key management. This creates a systemic risk funnel where billions in TVL depend on a handful of entities, a regression from decentralized blockchain ideals.
Evidence: The Wormhole and Ronin bridge hacks, totaling over $1 billion, exploited this compressed trust model. The attack surface wasn't the underlying chains but the centralized validator sets and multisigs governing the bridge contracts.
THE CUSTODIAL SPECTRUM
Architecture vs. Trust Assumption: A Comparative Breakdown
Deconstructing the security-performance trade-offs in modern bridge designs, from canonical to third-party.
| Trust & Security Dimension | Canonical (e.g., Polygon PoS, Arbitrum) | Optimistic (e.g., Across, Nomad) | Liquidity Network (e.g., Stargate, LayerZero) |
|---|---|---|---|
Native Validator Set Control | |||
Third-Party Attacker Slashable? | |||
Funds at Rest Custody | On L1 Escrow | On L1 Escrow | In 3rd-Party Liquidity Pool |
Time to Fraud Proof / Challenge | N/A (Native Finality) | 30 min - 7 days | N/A (No Fraud Proofs) |
Primary Trusted Entity | Destination Chain Validators | Watcher Network / Guardians | Relayer + Oracle Set |
Maximum Extractable Value (MEV) Risk | Low (Deterministic) | Medium (Auction-based) | High (Relayer discretion) |
Protocol Revenue Model | Gas Fees | Liquidity Fees + Tips | Message Fees + Swap Spread |
Architectural Compromise | Speed & Cost | Capital Efficiency & Latency | Trust Minimization |
deep-dive
THE CUSTODIAL REALITY
Deconstructing the 'Minimized' in Trust-Minimized
Trust-minimized bridges shift, but do not eliminate, the systemic risk of a central custodian.
Trust is redistributed, not removed. A bridge like Across or Stargate replaces a single custodian with a decentralized set of validators. The security model now depends on the economic honesty of this new set, creating a multi-party custody risk.
The failure mode is still catastrophic. If a threshold of these validators colludes, they can steal all user funds. This is a liveness failure equivalent to a custodian's private key compromise, but with a more complex governance attack surface.
Evidence: The Wormhole and Nomad hacks exploited these exact validator/guardian models, resulting in losses exceeding $1.5B. The security budget is the combined stake of the validators, not the underlying chains.
The comparison is stark. A native rollup bridge like Arbitrum inherits Ethereum's validator set for finality. A third-party bridge like LayerZero creates a new, external security dependency. The minimization is relative to pure custody, not absolute.
case-study
THE TRUST TRAP
Case Studies in Compromise
Even the most 'trust-minized' bridges rely on a core assumption of honest majority, creating a spectrum of custodial risk.
01
LayerZero's Omnichain Ambition
Replaces a single custodian with a network of independent oracles and relayers. The security model is a decentralization of trust, not its elimination. A successful attack requires collusion between the majority of these off-chain actors.
- Key Risk: Off-chain consensus is opaque and unverifiable on-chain.
- Key Trade-off: Enables general message passing for composability at the cost of introducing new, less-auditable trust layers.
~$20B+
Value Secured
50+
Chains
02
Wormhole's Guardian Set
Employs a permissioned set of 19 node operators (like Jump Crypto, Everstake) to sign messages. This is a clear multisig model, optimized for speed and capital efficiency over pure decentralization.
- Key Risk: The validator set is known and potentially targetable.
- Key Trade-off: Provides sub-second finality and deep liquidity by concentrating trust in reputable, high-stake entities.
19/19
Guardian Signers
<1s
Latency
03
The Liquidity Network Illusion
Protocols like Across and Synapse use a hybrid model: optimistic verification with a fallback to a bonded committee. Users trade the risk of a slow challenge period for lower costs, but ultimate safety relies on that committee's honesty and capital.
- Key Risk: Liveness depends on committee members being active and uncorrelated.
- Key Trade-off: Enables capital-efficient bridging (no locked liquidity on destination) but reintroduces a liveness assumption.
-90%
vs. Locked Capital
~20 min
Optimistic Window
04
The Native Bridge Baseline
Official rollup bridges (e.g., Arbitrum, Optimism) are the most 'trust-minimized' for their specific chain, as they are secured by the underlying L1. They expose the fundamental compromise: you are trusting the L1's social consensus and the rollup's fraud/validity proof system.
- Key Risk: Inherits all security assumptions of the base layer and the specific proof system.
- Key Trade-off: Maximizes cryptographic guarantees at the cost of being chain-specific, slower, and often more expensive than third-party alternatives.
L1 Secured
Security Model
7 Days
Challenge Period
counter-argument
THE CUSTODIAL CORE
The Steelman: "But What About Economic Security?"
Even the most trust-minimized bridges rely on a custodial security model that centralizes systemic risk.
Economic security is custodial. The dominant security model for bridges like Across and Stargate is an economic bond. Validators or relayers post collateral that is slashed for fraud. This is a custodial arrangement where the bridge's security is the sum of its bonded capital, not a decentralized verification of state.
Capital efficiency creates centralization. To be economically viable, bonded security must be highly leveraged, often 10:1 or more. This high leverage concentrates risk in a few large bonders, creating a centralized failure point. The system's security is only as strong as the solvency of its largest capital providers.
LayerZero's oracle/relayer model exemplifies this. Its security depends on the honesty of its designated Oracle and Relayer. While permissionless in theory, in practice, the economic and technical barriers to running these services at scale create a de facto oligopoly. The protocol's security is not the network's; it's the security of a few entities.
Evidence: The Wormhole hack exploited a centralized guardian signature, not a cryptographic flaw. The $325M loss demonstrated that economic bonds are reactive, not preventive. Recovery relied on the custodian's (Jump Crypto's) capital, not a decentralized security guarantee.
risk-analysis
THE CUSTODIAL CORE
The Inevitable Risk Surface
The bridge security model is a spectrum, and every design outside of canonical bridges makes a trust trade-off.
01
The Multi-Sig Mafia
The dominant security model for ~$30B+ in bridged assets. A small, off-chain committee holds the keys, creating a centralized failure point.
- Attack Surface: Compromise of ~5/8 signers can drain the entire vault.
- Opaque Governance: Signer selection is often controlled by the founding team, not a decentralized protocol.
~$30B+
TVL at Risk
5/8 Keys
Typical Threshold
02
The Oracle Problem Reloaded
Light client & optimistic bridges (e.g., IBC, Nomad v1) shift trust from validators to relayers and watchers.
- Data Availability: Relayers must be live and honest to forward state proofs.
- Fraud Proof Window: Optimistic designs have a ~30 min to 7-day challenge period where funds are escrowed and vulnerable to censorship.
7 Days
Max Challenge Period
1-of-N
Honest Relayer Assumption
03
Liquidity Network Lockup
Bridges like Across and Stargate rely on professional market makers (LPs) who can withdraw liquidity at will.
- Capital Efficiency vs. Security: LP capital is not cryptographically slashed for misbehavior.
- Systemic Risk: A black swan event or LP collusion can fragment liquidity, stranding user funds.
Minutes
LP Withdrawal Time
Market-Driven
Security Model
04
The Interoperability Trilemma
You can only optimize for two: Trustlessness, Generalizability, Capital Efficiency.
- Canonical Bridges (e.g., Arbitrum L1<>L2): Trustless & Generalizable, but capital-inefficient.
- Third-Party Bridges: Capital efficient & generalizable, but not trustless.
- Atomic Swaps: Trustless & capital efficient, but not generalizable (requires paired liquidity).
Pick 2
Optimization Limit
3 Models
Fundamental Trade-offs
future-outlook
THE CUSTODIAL REALITY
The Path Forward: Acceptance & Mitigation
Trust-minimized bridges are a pragmatic, but fundamentally custodial, compromise for current cross-chain infrastructure.
Trust-minimization is not trustlessness. Protocols like Across and Stargate use optimistic verification or decentralized relayers, but the underlying asset custody is a centralized multisig or a small validator set. The security model is probabilistic, not absolute.
The practical trade-off is speed. A fully trustless bridge like IBC requires synchronous finality, which is slow. The LayerZero model opts for liveness over safety, accepting a small validator quorum for near-instant transfers.
Mitigation is the only path. This means rigorous monitoring of validator sets, using Chainlink CCIP for decentralized oracle networks, and designing applications that assume bridge risk, like UniswapX does for intents.
takeaways
TRUST-MINIMIZED BRIDGE REALITY CHECK
TL;DR for Protocol Architects
The 'trust-minimized' bridge narrative often obscures the fundamental custodial risks and economic compromises still present in the relay layer.
01
The Relayer is the New Custodian
Protocols like Across and LayerZero shift custody from a single entity to a permissioned set of relayers or an oracle network. This is a risk distribution, not elimination.\n- Security Model: Relies on economic slashing and fraud proofs, which have ~1-4 hour challenge windows.\n- Failure Mode: A colluding super-majority of relayers can still censor or steal funds, a systemic risk for $10B+ in bridged value.
1-4h
Vulnerability Window
$10B+
Systemic TVL
02
The Liquidity Network Compromise
Fast 'trust-minimized' bridges are liquidity networks first. The advertised speed comes from pre-funded pools on the destination chain, creating a new set of constraints.\n- Capital Inefficiency: Liquidity must be mirrored across chains, locking up billions in idle capital.\n- Centralizing Force: Liquidity provision becomes dominated by a few large LPs (e.g., market makers), reintroducing central points of failure and control.
Billions
Idle Capital
<1 min
Speed Trade-off
03
Intent Solvers vs. Canonical Bridges
The rise of intent-based architectures (UniswapX, CowSwap) highlights the flaw: users shouldn't specify how to bridge, just the outcome. Current 'trust-minimized' bridges are still rigid path executors.\n- Architectural Lag: They solve for asset transfer, not for generalized state fulfillment.\n- Future-Proofing: The endgame is a solver network competing on execution, making today's bridge-specific liquidity and relayers obsolete.
UniswapX
Paradigm Shift
Rigid
Current Design
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall