Cross-chain bridges lost $340.7 million across 14 exploits in 2026, according to a PeckShield alert dated June 1, 2026. What was meant to be the backbone of blockchain interoperability has become, by the numbers, the most expensive single attack surface in DeFi. This is not a streak of bad luck. It is a structural pattern.
There is a widely held view in the sector: bridges are young infrastructure, and the vulnerabilities will close as audits improve and the technology matures. The data from 2026 tells a different, less comfortable story. The problem is not the maturity of the code. It is where the code concentrates value.
The Mainstream Case: Just a Matter of Time
Functionally, the optimistic argument sounds plausible. Bridges are complex software, managing messages across heterogeneous chains, and every new technology goes through a vulnerability window before stabilizing. Audits, bug bounties, continuous monitoring: with the right tools, this school of thought argues, the risk comes under control. It is the same curve that centralized exchanges followed after their worst years.
The reasoning has a blind spot. It assumes the defect is accidental, a series of bugs to be patched one by one. The 2026 data points instead to a design flaw, not an implementation one.
The Data That Undercuts the Optimism
May 2026 recorded 60 incidents, the highest monthly count of the year, with gross losses of approximately $68.3 million, according to PeckShield. Code vulnerabilities accounted for 66% of all incidents, while bridge exploits produced the highest loss figure of any single incident type. Fund recovery stood at just 13.7%. Nearly nine out of every ten dollars stolen did not come back.
The defining case is KelpDAO. PeckShield documented the dynamics of 2026 cross-chain exploits on X, and the aggregate reading is unambiguous: bridges dominate the loss rankings.
Why Crypto Bridges Keep Getting Hacked
Bridges concentrate the collateral of dozens of chains into a single point of failure, and one flaw in message verification is enough to drain it. That is the design defect, not a bug in any individual contract. On April 18, 2026, an attacker drained approximately 116,500 rsETH (worth $292 million at the time) from KelpDAO's bridge built on LayerZero. Chainalysis found that LayerZero had set a default RPC quorum of 1-of-1: a single compromised node could authorize fraudulent cross-chain messages. That rsETH backed token versions across more than twenty chains, from Base to Arbitrum, from Linea to Scroll. One flaw, twenty ecosystems exposed.
The playbook repeats in smaller scale but identical logic. An attacker mints, dumps, bridges to another chain, then launders. In one recent case, 1,285.5 ETH were routed through a mixer to obscure the trail. Mint, dump, bridge, launder, though the theft pipeline has become industrial.
Layered on top of this is a theme SpazioCrypto has covered separately: the arrival of AI agents capable of finding vulnerabilities faster than defenders can close them. That analysis is available in a dedicated piece.
The Target Will Not Fix Itself
Taking both sides together, the conclusion is less reassuring than the mainstream thesis suggests. As long as bridges remain single custodians of multi-chain collateral, the geometry of risk favors the attacker. The attacker needs to find one point. The defender must protect all of them. Minimum quorum verification, cost optimizations that reduce checks, pressure to ship fast: every shortcut becomes a door. The $340.7 million figure from 2026 is not the sum of bad luck. It is the structural price of an architecture that has not yet solved its most expensive problem.
For those tracking cross-chain security at the technical level, European digital infrastructure security guidelines are maintained by ENISA, while attacker on-chain movements remain traceable on Etherscan.
