Bridge Exploit attacks on Ethereum

$292M unbacked rsETH minted after attackers exploited KelpDAO's 1-of-1 LayerZero DVN setup; the largest DeFi hack of 2026, with TVL falling $13B after.

1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.

$4.3M drained from IoTeX's ioTube bridge via a validator key compromise; attacker also minted 111M CIOTX and 9.3M CCS. IoTeX pledged full user compensation.

GriffinAI, an AI-agent crypto project, lost ~$3M after a bridge/mint flaw let an attacker mint unbacked GAIN tokens and dump them, collapsing the price.

Access-control flaw drained $3.76M from Nervos's Force Bridge on Ethereum and BNB Chain; loot was swapped to ETH and routed via Tornado Cash and FixedFloat.

A white-hat MEV bot drained $12M from Ronin's bridge via a dead-code init flaw that left minimumVoteWeight at zero. All funds returned for a $500K bounty.

~$82M drained from Orbit Chain's cross-chain bridge on New Year's Eve after seven of ten multi-sig signers were compromised; losses across Ethereum and Klaytn.

~$220K drained from HYPR Network after a bridge/contract flaw let an attacker extract bridged liquidity — a small but clean bridge failure.

~$2.6M of ETH stuck or at-risk on the Shibarium bridge at launch after a misconfigured contract and traffic overload left funds inaccessible.

A routine upgrade marked the zero hash as a valid root, turning every Nomad message into a withdrawal anyone could copy-paste.

Lazarus compromised two of five operator multi-sig keys on Harmony's cross-chain bridge and drained $100M; the 2-of-5 quorum was below its risk profile.

A signature-verification bypass on Wormhole's Solana side let the attacker mint 120,000 wETH out of thin air — backed by no Ethereum collateral.

An attacker tricked Qubit's BSC bridge into minting 77,162 qXETH ($185M nominal) without depositing any ETH, borrowing 206,809 BNB ($80M).

$13M+ drained from THORChain across two attacks one week apart, both exploiting fake-deposit flaws in the Bifrost Ethereum bridge weeks into Chaosnet.

Vulnerability in ChainSwap's Ethereum-BSC bridge let an attacker mint arbitrary amounts of 20+ supported tokens; $4M drained, affected tokens crashed 95%+.

Attacker detected a repeated k-value in two BSC signatures, back-calculated Anyswap V3's MPC private key, and drained $7.9M from its cross-chain router pools.