Multichain validator risk is one-sided. Most bridge models like Stargate or early LayerZero rely on validators who stake collateral on only one chain, creating a fundamental misalignment. A validator can profitably attack the destination chain where they have zero skin in the game.
cross-chain-future-bridges-and-interoperability
Blog
Why Bridge Validators Need Skin in the Game on Both Sides of the Chain
Current bridge architectures often concentrate validator risk on a single chain, creating a systemic vulnerability. This analysis argues that true cross-chain security requires validators to be economically bonded to the security of both the source and destination chains to prevent asymmetric attacks.
introduction
THE INCENTIVE MISMATCH
Introduction
Bridge security is compromised when validators lack economic exposure to the assets they secure.
Economic finality requires bilateral bonds. Security mirrors proof-of-stake: validators must have slashable stake on both sides of the transaction. This transforms a cryptographic promise into a financial guarantee, making external attacks economically irrational.
The exploit pattern is predictable. The Wormhole, Nomad, and Multichain hacks demonstrated that insufficient or misaligned economic security is the root cause of bridge failures. The attacker's cost-benefit analysis always targets the weakest-linked chain.
Evidence: Across Protocol enforces this by having its relayers post bonds on both source and destination chains, a model that has secured over $10B in volume without a security incident.
key-trends
WHY ONE-SIDED STAKING FAILS
The Asymmetry Problem in Practice
When validators only have economic skin in the game on the source chain, they are incentivized to attack the destination chain for profit. This is the fundamental security flaw in most optimistic bridges.
01
The $325M Wormhole Exploit
The canonical example of a one-sided attack. The validator's stake was only on Solana, so a forged message to mint 120k wETH on Ethereum was costless. The asymmetry created a risk-free robbery.
- Attack Cost: Zero on the target chain (Ethereum).
- Defense Cost: Full $325M liability for the bridge.
$325M
Exploit Value
0 ETH
Attacker Stake
02
Nomad's Replay Attack Cascade
A bug made messages replayable, but the lack of bonded stakes on destination chains turned a bug into a free-for-all. Every whitehat and blackhat could exploit it risk-free, draining $190M in hours.
- No Slashing Risk: Validators faced no penalty on Ethereum.
- Network Effect: Asymmetry enabled a viral run on the bridge.
$190M
Drained
~4 hours
Time to Drain
03
The LayerZero Economic Model
A direct counter to asymmetry. The Oracle and Relayer must stake on both chains. An invalid message results in slashing on the destination chain, aligning incentives end-to-end. This is a superior model to optimistic bridges like Across.
- Bilateral Slashing: Stake at risk on source and destination.
- Game Theory: Makes 51% attacks economically irrational.
2x Chains
Stake Required
>51%
Attack Cost
04
The Interchain Security Fallacy
Cosmos IBC assumes benevolent validators, but this fails for permissionless chains. If a chain's native token collapses, its validators have zero cost to attack IBC connections. Asymmetry makes the entire ecosystem vulnerable to one chain's failure.
- Weakest Link: Security is gated by the poorest-performing chain.
- Systemic Risk: A death spiral on Chain A can bleed into Chain B.
1 Chain
Weakest Link
N Chains
Vulnerable
05
The MPC Network Dilemma
Networks like Multichain (formerly Anyswap) and Celer use MPC committees. Signers stake in a pool, but that stake is often not chain-specific. A bribe to sign a fraudulent message on Ethereum only risks the pooled stake, not individual chain assets, creating misaligned incentives.
- Pooled Liability: Diffused, non-chain-specific stake.
- Bribe Attack: Cost to attack a single chain is a fraction of total TVL.
Pooled
Stake Model
Fractional
Attack Cost
06
The Solution: Bilateral Bonding
The only robust fix. Validators/Oracles must post chain-specific bonds on both sides of a route. This is implemented in intent-based bridges like Across (via bonded relayers) and is core to LayerZero's security. It turns cross-chain validation into a positive-sum game.
- E2E Alignment: Profit only from honest validation.
- Capital Efficiency: Bonds can be optimized via restaking (e.g., EigenLayer).
2/2 Chains
Bonds Covered
Zero
Risk-Free Profit
deep-dive
THE INCENTIVE MISMATCH
The First-Principles Case for Bilateral Bonding
Unilateral staking on a source chain creates a systemic risk where validators have no stake in the destination chain's security.
Unilateral staking is broken. Most bridge models like early Stargate or Synapse require validators to stake only on the source chain. This creates a perverse incentive where a validator's stake is safe even if they sign fraudulent state on the destination chain, leading to theft with zero slashing risk.
Bilateral bonding solves the liveness-safety trade-off. Validators must post bonded capital on both chains. This aligns their economic fate with the correctness of the state transition across the entire system, making a successful attack require a simultaneous liveness failure on two separate chains.
The protocol is the slashing condition. Systems like Axelar and Chainlink CCIP enforce this by making the bridge's smart contract logic the sole arbiter of slashing. A fraudulent message on chain B automatically triggers the forfeiture of the bond posted on chain A, creating a unified security domain.
Evidence: The Wormhole hack exploited unilateral staking. The attacker forged a VAA on Solana to mint 120k ETH on Ethereum. The guardian stake on Solana was untouched because the fraud occurred on a different chain, highlighting the critical flaw bilateral bonding fixes.
VALIDATOR ECONOMIC ALIGNMENT
Bridge Security Model Comparison
Comparing validator slashing mechanisms based on where their financial stake is locked, a critical factor for cross-chain security.
| Security Feature / Metric | Native Dual-Staking (e.g., Axelar) | Externally Verified (e.g., LayerZero) | Optimistic (e.g., Across, Nomad) |
|---|---|---|---|
Core Security Capital Location | Locked on both source & destination chains | Locked off-chain or on a single chain | Locked on destination chain only |
Slashing Execution Capability | |||
Cost of 51% Attack |
| Cost of bribing off-chain verifiers | Bond value + fraud proof window |
Validator Sybil Resistance | High - stake at risk on both sides | Low - relies on off-chain reputation | Medium - stake at risk post-claim |
Capital Efficiency for Validators | Low - capital locked in two places | High - capital can be redeployed | Medium - capital locked for dispute period |
Time to Finality for Security | Immediate (cryptoeconomic) | Instant to 20 mins (off-chain consensus) | 30 mins to 4 hours (challenge window) |
Primary Failure Mode | Chain halt or severe depeg | Oracle/Relayer cartelization | Liquidity provider insolvency |
case-study
THE VALIDATOR DILEMMA
Attack Vectors Enabled by Asymmetric Incentives
When bridge validators are only economically bonded on the source chain, they have no skin in the game on the destination, creating a fundamental security asymmetry.
01
The Nothing-at-Stake Problem on Destination
Validators can sign fraudulent messages on the destination chain at zero cost, as their stake is locked elsewhere. This enables double-spend and theft attacks where the cost of corruption is near-zero.
- Attack Cost: Only gas fees on destination chain.
- Mitigation Failure: Pure fraud proofs are useless if validators have nothing to lose.
- Real-World Impact: Enabled the $325M Wormhole hack via a forged signature.
$0
Dest. Chain Cost
100%
Profit Margin
02
Liveness Attacks & Censorship for Profit
A malicious actor can bribe a supermajority of validators to stop signing legitimate messages, freezing user funds. Their staked assets on the source chain remain safe, making the bribe economically rational.
- Incentive Misalignment: Profit from censorship > Slashing risk on source chain.
- Protocol Risk: Affects LayerZero, Axelar, and any MPC-based bridge.
- Economic Design Flaw: Asymmetric penalties fail to secure cross-chain liveness.
>51%
Validator Threshold
β
Downtime Risk
03
The Withdrawal Griefing Vector
After a user's funds are locked on Chain A, validators can intentionally delay or reorder the release on Chain B to extract MEV or force unfavorable settlements, without risking their primary stake.
- MEV Extraction: Front-run user's destination transaction.
- User Experience: Finality times become unpredictable and manipulable.
- Systemic Risk: Encourages validator cartels, as seen in early Across relay models.
~30 min
Delay Window
+15%
Extractable Value
04
Solution: Dual-Staking with Native Assets
Force validators to bond significant value in the native tokens of both connected chains. Slashing must be possible on both sides, making attacks economically irrational.
- First Principles Security: Aligns incentives across the entire message path.
- Protocol Examples: Cosmos IBC, Polygon Avail, Babylon (bitcoin staking).
- Key Trade-off: Increases validator capital requirements and complexity.
2x
Capital Locked
>$1B
Attack Cost
05
Solution: Optimistic Verification with Bonded Challengers
Use a lightweight attestation layer (low stake) for speed, but allow a separate set of bonded challengers to dispute invalid state roots within a challenge window. Ethereum's EigenLayer restakers can fill this role.
- Efficiency: Reduces constant validator overhead.
- Security Model: Shifts finality delay to the challenge period (~7 days).
- Ecosystem Fit: Ideal for high-throughput chains like Polygon, Arbitrum.
-90%
Validator Load
7 Days
Finality Delay
06
Solution: Intent-Based Routing & Solver Bonds
Remove the validator role entirely. Users express intent (e.g., 'swap 1 ETH for ARB on L2'). Competitive solvers, who are bonded on the destination chain, fulfill it using pooled liquidity. UniswapX and CowSwap model.
- Incentive Flip: Solvers lose bond if they don't deliver.
- User Benefit: Guaranteed execution or refund.
- Architecture Shift: Moves risk from bridge protocol to solver network.
$10M+
Solver Bond
0
Bridge TVL Risk
counter-argument
THE ECONOMIC REALITY
The Pragmatist's Rebuttal (And Why It's Wrong)
The argument that validators only need stake on the destination chain is a critical design flaw that ignores cross-chain incentive attacks.
Single-chain staking creates arbitrage. A validator with stake only on Ethereum can safely censor or reorder transactions on a cheaper L2 like Arbitrum. Their economic risk is isolated, enabling profitable manipulation without jeopardizing their primary collateral.
Cross-chain intent systems like UniswapX expose this. These protocols rely on solvers who route across chains. A bridge validator with misaligned incentives can front-run these cross-chain orders, extracting value from the system with impunity.
The solution is bilateral economic security. Protocols like Across and LayerZero's OFT standard enforce that relayers/validators post bondable assets on both source and destination chains. This skin-in-the-game symmetry eliminates the one-sided risk asymmetry.
Evidence: Wormhole's guardian model. Its 19-node set requires no stake, relying on reputation. This led to a $325M exploit where the economic cost of corruption was zero. Staking on a single chain like Solana would not have prevented this.
FREQUENTLY ASKED QUESTIONS
FAQ: Bilateral Bonding for Builders
Common questions about why bridge validators need skin in the game on both sides of the chain.
Bilateral bonding requires bridge validators to stake collateral on both the source and destination chains they secure. This creates direct financial disincentives against malicious actions like stealing funds or censoring transactions on either side. Unlike unilateral models, it aligns validator incentives with the health of the entire cross-chain path, not just one network. Protocols like Across and LayerZero implement variations of this principle to secure their attestations.
takeaways
BRIDGE SECURITY PRIMER
TL;DR for Protocol Architects
The validator economic model is the primary attack surface for cross-chain bridges. Here's why capital must be at risk on both sides.
01
The Nothing-at-Stake Problem on Destination Chains
Validators with no bonded value on the destination chain face zero-cost attack vectors. They can sign fraudulent withdrawal proofs without consequence, as seen in the Wormhole and PolyNetwork exploits.
- Key Benefit: Forces validators to internalize the cost of malicious actions.
- Key Benefit: Aligns economic security with the total value of bridged assets ($10B+ TVL).
$0 Cost
Attack Cost
100%
Slashable
02
The Solution: Dual-Sided Staking (e.g., ZetaChain, Polymer)
Require validators to post slashable bonds natively on both the source and destination chains. This creates a unified security budget.
- Key Benefit: ~10x increase in the capital cost to bribe or corrupt the validator set.
- Key Benefit: Enables light-client verification with economic finality, reducing reliance on external oracles.
2x Bonds
Capital Locked
10x
Attack Cost
03
Interoperability Trilemma: You Can't Optimize All Three
Choose two: Trustlessness, Generalizability, Extensibility. Most bridges (LayerZero, Axelar) sacrifice trustlessness for the latter two via external validator sets.
- Key Benefit: Clarifies design trade-offs against IBC (trustless, less extensible) and Chainlink CCIP (oracle-dependent).
- Key Benefit: Frameworks protocol choice around asset value and risk profile.
Pick 2
Optimize For
3
Axes
04
The Liquidity Mirror: TVL is Not Security
A bridge with $5B TVL but validators with $50M in staking has a security ratio of 1:100. This mismatch invites fractional reserve attacks.
- Key Benefit: Forces security models to scale with bridged value, not just validator count.
- Key Benefit: Directly ties the cost of a 51% attack on the bridge to the total value it secures.
1:100
Risk Ratio
$5B TVL
Exposure
05
Intent-Based Architectures Shift the Burden (UniswapX, Across)
These systems don't bridge assets; they bridge intents. Solvers compete on destination chains, making validator corruption less impactful.
- Key Benefit: Reduces bridge validator role to message passing, lowering systemic risk.
- Key Benefit: Attackers must corrupt the solver market, not a static validator set.
Solvers
Attack Surface
Messages
Asset
06
Implementation Blueprint: Slashing Conditions & Recovery
Dual-sided staking requires provable fraud proofs and a clear recovery mechanism. Use light client state proofs for verification and social consensus/DAO for worst-case slashing.
- Key Benefit: Creates a verifiable, on-chain security audit trail.
- Key Benefit: Ensures liveness failures don't permanently lock user funds.
Fraud Proofs
Enforcement
DAO Fallback
Recovery
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall