TL;DR:
- Across Protocol uses an intents architecture that eliminates funds locked in contracts, the primary cause of bridge hacks.
- Since 2022, bridges have lost approximately $2.9 billion in exploits; in May 2026 alone, around $328.6 million was lost across just eight incidents.
- The protocol’s V4 version incorporates zero-knowledge proofs to verify Ethereum’s state on any destination chain without relying on custom adapters.
Cross-chain asset bridges accumulate a loss record that no other component of the crypto infrastructure can match. Across Protocol proposes an architectural response to that record: eliminating the element that turns every bridge into a profitable target. Since 2022, bridge exploits have resulted in losses of approximately $2.9 billion, and the pace shows no signs of slowing. PeckShield recorded around $328.6 million stolen across eight separate incidents during May 2026.
The patterns behind those losses are recognizable and repetitive. Lock-and-mint bridges accumulate user assets in a source contract and issue representative tokens at the destination; if the minting function can be deceived, the entire wrapped supply loses its backing.
Wormhole suffered exactly that in February 2022, when an attacker exploited an outdated signature verification path to mint 120,000 wETH without backing on Ethereum and withdraw approximately $325 million. Concentrated validator sets present an equivalent problem: the Ronin bridge operated with nine validators, five of which were sufficient to approve a transaction. In March 2022, the Lazarus group compromised five keys through social engineering and stole around $540 million.
The concentration of control in multi-sigs with few signers reproduces the same risk, as demonstrated by the attack on Harmony‘s Horizon Bridge in June 2022, resulting in losses of $100 million. In every case, the common denominator is identical: the user deposits funds, the bridge holds them, and any internal failure falls on those funds.
The Intents Architecture and the End of the Honeypot
Across inverts that model through an intents architecture. The user signs a desired outcome—source chain, destination chain, input token, output token, amount—and a competitive network of relayers bids to execute it. The winning relayer advances its own capital on the destination chain and delivers the asset to the user before the protocol verifies the process. There is no pool of locked user funds waiting for cross-chain messages, nor wrapped assets susceptible to over-issuance. When someone bridges ETH through Across, they receive canonical ETH, not a representative token.
Settlement is processed through the UMA Optimistic Oracle. The Dataworker aggregates valid deposits and executions within an interval of approximately 60 minutes, compiles a repayment bundle and submits it for optimistic verification. If no one disputes it within the challenge period, the bundle executes and relayers are reimbursed. This design requires a single honest participant to flag a malicious bundle, without assuming an honest majority or validator quorum.
Across Protocol Has Recorded No Incidents Since 2021
Across Protocol’s V4 version, currently in production, eliminates the dependency on canonical bridges per destination chain. It replaces custom adapters with an Ethereum light client based on zero-knowledge proofs, generated with Succinct Labs’ SP1 prover and verified on each destination chain through a contract called SP1Helios. Adding a new chain no longer requires replicating a separate verification layer; the security model remains uniform across the entire network.
Across operates without security incidents at the protocol level since 2021, having processed more than $36 billion in volume. That track record is not the product of chance, but of having structurally eliminated the four attack surfaces responsible for the sector’s largest losses.
