Author: Sandeep

Translation: Jiahua, ChainCatcher

This weekend is distressing. There have been three security incidents involving cross-chain bridges in three weeks. I have not been focused on the specifics of each attack in recent days, but rather on considering the patterns hidden behind all these events.

On April 1, Drift lost 285 million dollars.

On April 13, Polkadot Hyperbridge, a replay proof minted 1 billion unbacked tokens; if not for the already thin liquidity on the target chain, the losses would exceed this amount considerably.

On April 18, KelpDAO lost 292 million dollars. Before this, there were also Wormhole, Ronin, Harmony, BNB Bridge, Nomad, and Multichain.

First, it should be clear that I am full of respect for every team that has actively responded during this stressful weekend. I have no intention of kicking anyone while they are dealing with emergencies.

We have all been in similar situations, and the teams issuing patches now are working extremely hard. Kelp’s emergency pause multi-signature mechanism prevented two subsequent attempts to drain assets; otherwise, losses would have increased by another 200 million dollars.

What I want to emphasize here is that what happened this weekend is not just a Kelp issue. It originates from a design choice that the entire industry has been making. Currently, the cross-chain infrastructure of most cryptocurrencies still functions like a notary.

Whether you call it DVN, a relay collection, an oracle committee, or multi-signature, it essentially consists of a small group monitoring activities on one chain and providing testimony for it on another chain.

Once this committee or its underlying feed data is compromised, this notary will endorse lies without hesitation. The names of the protocols may change, but the trust assumptions have never changed.

@moo9000 has aptly named it: Multisig Finance (MultisigFi).

This description is quite accurate. Regardless of what you call the underlying committee, the trust model is the same. The events of the past three weeks painfully highlight how this model collapses when applied at scale.

A recent Dune data scan of active LayerZero applications found that 47% of applications run under a 1/1 validator configuration, 45% run under a 2/2 configuration, and less than 5% of applications adopt a more robust security configuration.

This means that for 90% of cross-chain applications currently in production, 1 or 2 compromised signers are the only security barrier between user funds and attackers.

Five years ago, this may have been a reasonable default security setting. Back then, cross-chain bridges only moved millions of dollars, and no one probed them on an industrial scale.

But this is nonsense in 2026. The same design now moves billions of dollars! Moreover, AI-assisted tools are continuously discovering operational configuration vulnerabilities at machine speed. The attack surface has expanded exponentially, but the security model remains stagnant.

To be clear, this is not an article that pits Polygon against everyone else. Years ago, we also built an early version of this trust assumption into our own product. We have learned lessons from it, and the entire industry has learned from it.

Along the way, some of us continued building under the committee model, while others bet the entire company on ZK (zero-knowledge proofs).

Our bet on ZK is not mere talk: a ZK proof was launched for Agglayer bridging in July 2024, and it has been in production for over a year, facilitating large-scale cross-chain transactions every day. Frankly, what happened this weekend has only strengthened my confidence in this argument.

ZK proofs take over the work previously done by committees. It's like a tiny cryptographic receipt that proves a computation has indeed been executed correctly, and any machine on earth can verify it within milliseconds.

Either the proof holds, and the transfer is settled, or the mathematical verification fails, and the assets remain untouched. No operator can be bribed, no RPC can be poisoned, no quorum needs to be coordinated, and no one will sit in a room at 3 AM deciding whether your money is safe.

Above this is what we call "Pessimistic Proof". The simplest way to understand it is: trust no one’s on-chain accounting.

Every chain connected to Agglayer has a dynamic ledger for recording the receipt and delivery of assets. Before any withdrawal is finally confirmed, the accounts must remain balanced. A chain can never withdraw more of an asset than recorded, regardless of the reasons or whether someone has forged upstream messages.

Mathematical rules will not allow such things to happen. Agglayer enforces this through Succinct’s SP1 proof system, which is built on Polygon Plonky3.

If last weekend's scenario were run in Agglayer, the pessimistic proof would instantly prevent withdrawals since there would be no deposit records, so funds would absolutely not transfer.

The same accounting mechanism can also capture the infinite minting vulnerabilities of Wormhole, the infinite minting vulnerabilities of BNB Bridge, and the replay proof vulnerabilities of Hyperbridge.

These vulnerabilities are fundamentally different, but they all boil down to the same issue: cross-chain bridges release assets that are not backed on the other end. Agglayer will prevent all these situations before any settlement happens.

This is not just theoretical. While a large part of DeFi pressed the pause button this weekend, Agglayer handled around 200 million dollars in bridged transaction volume without a hitch.

Katana, which is natively connected to Agglayer, maintained zero risk exposure during the entire event. Before the underlying reasons were publicly disclosed, our security team paused all LayerZero integrations across the Polygon ecosystem, and our product and support teams were tirelessly on the phone with institutional partners throughout the weekend.

Nearly six years of building. 2.4 trillion dollars settled on Polygon. 7 billion transactions. 99.99% uptime. Zero cross-chain bridge vulnerabilities on Agglayer. That is why we have spent years building Agglayer; security has always been the top priority.

I present these numbers not to brag, but because in order to confidently walk into an institution and tell them that cryptocurrencies are ready to handle vast payment volumes, you must present these tangible achievements.

Building cross-chain bridges based on committees is cheaper and faster, and I understand why teams would build them; we have also constructed early versions ourselves. However, the things attackers can do have indeed changed now.

Since 2022, the Lazarus group has been attacking these designs, and they show no signs of slowing down. AI-assisted audits can now uncover configuration errors that were previously hidden under complex layers. These attacks will not disappear. The math will eventually catch up with the shortcomings of committees.

For the past two to three years, this industry has been settling trillions of dollars in transaction volume annually. We ask banks and payment companies to place large sums of money on rails that still rely solely on one or two signers to make the right judgments on Saturday nights. This is our demand; say it out loud and see how ridiculous it seems.

We must do better, and we already know how to do it.

Nevertheless, it is essential to affirm that LayerZero is now disabling 1/1 configurations (single-signature) across the entire industry. This is the right decision, and it will make cross-chain security much stronger, which I fully support. Other teams will also continue to reinforce their committee designs. This work is important.

But the bigger shift lies in the architecture. ZK proofs are tireless, cannot be attacked through social engineering, and will not have a bad weekend. Math either holds or it does not, and if it does not, nothing settles.

This is the direction the industry is moving towards, and the pace is faster now than it was a month ago, which is good news for every builder and every organization entering the chain.

This week, every team building cross-chain infrastructure should ask themselves a question: do I really need a committee? Strengthening existing committees is just a fallback solution.

Agglayer is open source. There are no protocol fees. No licensing restrictions. Any team ready to shift from trusted proof mechanisms to cryptographic validation can get connected. If you are currently running a cross-chain bridge, and the events of the past three weeks have made you rethink your trust model, please contact us.

This is not a competitive moat we are hoarding, but infrastructure that the entire industry should utilize.

The fate of cryptocurrencies over the next decade will be determined by those teams that are now willing to tackle harder-core architectures. Cryptographic proofs are more challenging to establish than notaries. But they will not collapse over the weekend, and they can scale to the trillions that cryptocurrencies are being asked to handle.

Do you want a committee, or a mathematical proof? We chose the latter. I hope more will choose likewise.

After this weekend, I am more convinced of ZK cross-chain. Tough times forge clear architectures.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。