Why the Biggest Crypto Heists Keep Happening at Bridges, Not Smart Contracts
Cross-chain bridges, the infrastructure that moves cryptocurrency between separate blockchains, have become the largest single source of losses in decentralized finance. In 2026 alone, bridges suffered roughly $328.6 million in losses across eight major incidents, according to security firm PeckShield. The pattern is clear: the biggest crypto heists are no longer happening inside smart contracts themselves, but in the trusted infrastructure that decides whether a cross-chain message is authentic.
What Happened to Kelp DAO, and Why Does It Matter?
On April 18 and 19, 2026, an attacker drained approximately $292 million from Kelp DAO's bridging adapter, making it the largest decentralized finance exploit of the year. The attack was not a flaw in the token contract or a broken mathematical formula. Instead, the attacker compromised the off-chain infrastructure behind a single verifier on the LayerZero protocol, a messaging system that relays cross-chain transactions. The attacker forged a message instructing the bridge to release funds, and the bridge executed the instruction exactly as written.
What makes this incident significant is that the on-chain code behaved perfectly. The vulnerability lived in the trust assumption underneath the code: that whoever controlled the verifier was honest and uncompromised. LayerZero preliminarily attributed the attack to North Korea's Lazarus Group. Kelp's team detected the anomaly and paused the contracts, blocking a follow-up attempt to drain an additional 40,000 units of rsETH (staked ether). Arbitrum's Security Council later froze approximately $71 million in ether linked to the theft, but the damage was done in minutes by a single message.
Why Do Bridges Keep Failing in the Same Way?
The Kelp DAO incident is not an isolated mistake. The same pattern has repeated across the largest bridge exploits in crypto history. Consider the reference points that every bridge engineer knows: the Ronin bridge, drained of roughly $625 million in March 2022 when attackers obtained enough validator keys to approve their own withdrawals; Wormhole, which lost about $320 million in February 2022 after a signature verification flaw let an attacker mint wrapped ether without depositing collateral; and Nomad, which bled roughly $190 million in August 2022 after a faulty upgrade made the system treat essentially every message as valid.
In 2022, Chainalysis estimated that about $2 billion was stolen across 13 separate cross-chain bridge hacks, accounting for roughly 69 percent of all crypto stolen that year. Four years later, the mechanism behind the biggest loss of 2026 is recognizably the same.
- Ronin (March 2022): Attackers obtained enough validator keys to approve their own withdrawals, draining $625 million.
- Wormhole (February 2022): A signature verification flaw allowed an attacker to mint wrapped ether without depositing collateral, resulting in $320 million in losses.
- Nomad (August 2022): A faulty upgrade made the system treat essentially every message as valid, triggering a copycat free-for-all that bled $190 million.
- Kelp DAO (April 2026): A compromised single verifier allowed an attacker to forge a cross-chain message and drain $292 million in minutes.
Where Is the Real Vulnerability?
Across all four of these major exploits, the failure is not in the token logic or the mathematical operations inside the smart contract. The recurring problem is in the layer that decides whether a cross-chain message is authentic. In each case, the bridge faithfully executed an instruction it should never have accepted, because the thing standing between an attacker and the locked collateral was a small, trusted set of off-chain attestations.
To understand how bridges work, think of them like a depositary receipt in traditional finance. You deposit an asset into a contract on one blockchain, that asset is locked, and the bridge mints a representation of it (a wrapped token) on another blockchain. The wrapped token is meant to be redeemable one for one for the original. A separate set of off-chain actors, called validators, relayers, oracles, or verifiers, watch the source blockchain and tell the destination blockchain when a deposit has happened so the mint can proceed. When those validators can be tricked or compromised, the certificate becomes a claim on nothing.
How to Evaluate Your Exposure to Bridge Risk
- Audit Quality: The size of a bridge's audit, the reputation of its team, and the formal verification of its contracts are all worth having, but they address the part of the system that has rarely been the problem.
- Validator Concentration: When trust is concentrated in one party or a handful of parties, the bridge inherits exactly one point of failure no matter how clean the surrounding code is.
- Multi-Chain Exposure: If an asset you hold is a wrapped representation sitting behind a bridge, your exposure is not only to the issuer and the underlying asset, but also to the validator set of every bridge in the path.
- Message Authenticity: The chance that one forged message turns your holding into an unbacked IOU is the core risk, as the Kelp DAO incident showed that a single message can do in minutes what would take a traditional custodian fraud months to unwind.
For institutions evaluating tokenized assets, stablecoins, or on-chain credit, this is not an abstract security debate. The data shows that bridge vulnerabilities are concentrated in the trust placed in whoever signs off that a message is real. When that trust is concentrated in one party, the bridge inherits exactly one point of failure no matter how clean the surrounding code is.
The Kelp DAO incident demonstrated that the largest losses in crypto now come from the trusted infrastructure around contracts, not from the arithmetic inside them. As the bridge ecosystem continues to grow and more value moves across chains, understanding the anatomy of these exploits becomes essential for anyone holding wrapped assets or relying on cross-chain infrastructure.