Lock-Mint Bridge

The source chain asset (e.g., ETH) is locked in a smart contract or custodied by a validator set. This is the security-critical step, as the bridge's safety model determines the integrity of the locked collateral. Common models include:

• Trusted/Multisig: A federation of known entities controls the vault.
• Federated: A permissioned set of validators attests to the lock.
• Optimistic: A challenge period allows fraud proofs before finality.

Upon verification of the lock, a wrapped or synthetic token is minted on the destination chain. This token (e.g., WETH on Avalanche) is a 1:1 representation of the locked asset. The minting contract's authority is the bridge's validator set or oracle network, which signs off on the mint transaction. The token standard (e.g., ERC-20, BEP-20) is native to the destination chain.

To redeem the original asset, the user burns the wrapped token on the destination chain. A proof of this burn event is relayed to the bridge validators, who then authorize the unlocking of the collateral from the source chain's custody contract. This symmetric process ensures the total supply of wrapped tokens always matches the locked collateral, maintaining the 1:1 peg.

The security and trust assumptions vary drastically:

• Centralized (Custodial): A single entity (e.g., a company) holds the locked assets. Fast and simple, but introduces counterparty risk (e.g., early versions of Wrapped BTC).
• Decentralized (Non-Custodial): Assets are locked in a smart contract secured by a decentralized validator set using mechanisms like Proof-of-Stake or optimistic verification. Reduces trust but can be more complex and slower.

A critical distinction for wrapped assets:

• Canonical Bridge: The official, chain-native bridge (e.g., the Arbitrum Bridge for ETH, Polygon's PoS Bridge). The wrapped asset (e.g., Arbitrum ETH) is the standard, recognized version on that chain.
• Non-Canonical Bridge: A third-party bridge (e.g., Multichain, Celer) minting its own version of a wrapped asset. This creates fragmentation (e.g., USDC.e vs. native USDC on Avalanche) and can lead to liquidity silos.

Lock-mint bridges are the dominant model for moving native assets (like ETH, AVAX) and non-native stablecoins between chains.

• Examples: Polygon PoS Bridge (locks ETH on Ethereum, mints WETH on Polygon), Avalanche Bridge (mints wrapped assets like WETH.e), Wormhole (for tokenized assets via its guardian network).
• Limitation: They are not optimal for arbitrary cross-chain messaging or contract calls, which are better served by generic messaging bridges.

The most fundamental risk is the centralization of asset custody. In a classic lock-mint model, user assets are locked in a smart contract on the source chain, but the minting of wrapped assets on the destination chain is controlled by a small set of validators or a multisig wallet. This creates a single point of failure. If the validator keys are compromised or the multisig signers collude, the entire reserve of locked assets can be stolen. This was the primary failure mode in the Ronin Bridge ($625M) and Wormhole ($326M) exploits.

The bridge's on-chain components—the locking and minting contracts—are complex software subject to bugs. Exploits can include:

• Reentrancy attacks on the locking contract.
• Logic flaws in the minting authorization mechanism.
• Upgradeability risks where a malicious admin upgrade introduces a backdoor.
• Signature verification bugs that allow fake validation proofs. The Poly Network hack ($611M) exploited a vulnerability in the contract's verification logic.

Bridges rely on oracles or relayers to transmit information (e.g., proof of a deposit) between chains. If this off-chain infrastructure is compromised, it can feed fraudulent data to the minting contract. Attacks include:

• Data tampering where a malicious relayer submits false deposit events.
• Oracle manipulation to provide incorrect price feeds for cross-chain swaps.
• Denial-of-Service (DoS) attacks on relayers, halting all bridge operations. The security of the bridge is only as strong as its weakest validator or relayer node.

Proof-of-Stake or MPC-based bridges are vulnerable to attacks on their consensus mechanism. A malicious actor could attempt a 51% attack or Sybil attack on the validator set to gain control over the minting process. Furthermore, liveness failures can occur if validator participation drops below a threshold, potentially freezing user funds. These models require strong economic incentives and penalties (slashing) to ensure honest behavior, which itself introduces complex cryptoeconomic design risks.

The wrapped asset (e.g., wETH on another chain) is only valuable if it is redeemable 1:1 for the native asset on the source chain. Any perceived weakness in the bridge's security can cause a loss of confidence, leading to a depeg where the wrapped asset trades at a discount. This is a market risk that persists even if the bridge's technical mechanisms are functioning, as seen during periods of high uncertainty following major bridge exploits.

To mitigate these risks, modern bridge designs employ:

• Decentralized validation using fraud proofs or optimistic mechanisms (e.g., Across, Chainlink CCIP).
• Insurance funds or over-collateralization to cover potential slashing or losses.
• Time-delayed withdrawals (escape hatches) allowing users to withdraw directly if the bridge halts.
• Formal verification and extensive audits of core smart contracts.
• Progressive decentralization of the validator set and governance. Users should verify a bridge's security model, audit history, and time-in-operation before transferring significant value.