Start typing to search 100+ guides and coin pages.
Core Concepts

Sidechains & Bridges

How assets move between blockchains — and why bridges are a major security risk.

advanced · 6 min read · Updated January 1, 2026

A sidechain is a separate blockchain that runs in parallel with a main chain and is connected to it through a two-way peg, allowing assets to move back and forth. A bridge is the mechanism — usually a combination of smart contracts and off-chain software — that enforces that peg. Together, these two ideas form the backbone of cross-chain interoperability, and they are also responsible for some of the largest theft events in crypto history.

Understanding why requires looking closely at what it actually means to “move” an asset between chains.

The Fundamental Problem: Assets Cannot Physically Cross

A bitcoin does not exist on Ethereum. An ETH token does not exist on Solana. Each blockchain is a closed system — it only knows about the state of its own ledger. So when someone wants to “send” BTC to an Ethereum-based application, something more subtle has to happen.

The most common solution is a lock-and-mint mechanism:

  1. You deposit your asset on the source chain, where it gets locked in a smart contract or held by a custodian.
  2. A corresponding “wrapped” or “bridged” version is minted on the destination chain, representing a claim on the locked original.
  3. When you want to return, you burn the representation on the destination chain, which unlocks the original on the source chain.

The bridged token is only as trustworthy as the system controlling the lock. That is the core risk.

What Is a Sidechain?

A sidechain has its own block producers, its own consensus rules, and its own security model — completely independent of the main chain it pegs to. The connection between them is the bridge contract.

Some sidechains trade decentralization for speed and low fees. Others experiment with different virtual machines or governance structures. What makes them a sidechain rather than just an unrelated blockchain is the existence of that two-way peg: there is a defined, on-chain mechanism for moving value in both directions.

A sidechain inherits none of the security of the main chain. If the sidechain’s validators collude or are compromised, assets on that sidechain can be stolen or frozen — even if the main chain itself remains perfectly secure.

This is a critical distinction from rollups, which post their state data or proofs back to the main chain and therefore inherit at least some of its security guarantees. A sidechain is on its own.

Types of Bridges

Not all bridges work the same way, and the design choices create very different risk profiles.

Bridge TypeHow It WorksKey Risk
Centralized / custodialA single company holds the locked fundsSingle point of failure; requires full trust
MultisigA group of n-of-m signers controls the lockSigners can be compromised or collude
Light-client / on-chain relayEach chain runs a verifier for the otherComplex, expensive, but more trust-minimized
OptimisticAssume validity; watchers can challenge fraudDelay window; depends on active fraud watchers
ZK-basedCryptographic proof of source-chain stateComputationally intensive; newer, less battle-tested

Most bridges in production today use some form of multisig, because on-chain verification of another chain’s state is technically difficult and expensive. That means the security of billions of dollars of locked assets often reduces to the question: how well are those private keys protected?

This connects directly to concepts covered in public and private keys — whoever controls the keys controls the funds.

Why Bridges Are Such a Large Attack Surface

The locked funds on a bridge are a concentrated honeypot. Unlike a decentralized exchange where liquidity is spread across many pools and users, a bridge typically holds all the source-chain assets in one place. Attackers have a clear target and a clear payoff.

Vulnerabilities tend to fall into a few categories:

Smart Contract Bugs

If the bridge contract has a flaw in its logic — a re-entrancy vulnerability, an integer overflow, a missing access check — an attacker can drain the locked funds without touching the signers at all. A single line of incorrect code in a contract handling hundreds of millions of dollars has led to total losses in multiple real incidents. The notable hacks and failures page covers several of these in detail.

Compromised Validators or Signers

If a multisig bridge requires 5 of 9 signatures, and an attacker can compromise or socially engineer 5 of those 9 key holders, they can authorize fraudulent withdrawals. Private key theft, phishing attacks, and insider threats have all contributed to bridge exploits.

Logic Flaws in Message Verification

Bridges often rely on relayers — off-chain services that watch one chain and submit proofs or messages to the other. If the contract accepting those messages does not verify them correctly, an attacker can forge a message claiming that funds were deposited on the source chain when they were not.

Upgrade Key Risks

Many bridge contracts are upgradeable, meaning a small set of addresses can modify the contract logic. If those upgrade keys are stolen, the entire bridge can be rewritten to send all funds to an attacker.

How This Relates to Layer 2 and Broader Interoperability

It is worth mapping sidechains against the broader landscape described in layer 1 vs. layer 2. Layer 2 solutions like rollups are explicitly designed to derive their security from the underlying layer 1 — they use the base chain as a settlement and data availability layer. Sidechains do not. They are parallel systems that happen to have a bridge.

Cross-chain interoperability is the broader goal that bridges are trying to solve: letting users and applications on one chain interact with assets and logic on another. Bridges are the current, imperfect answer. Research into trust-minimized alternatives — particularly ZK-proof-based bridges that can verify another chain’s state cryptographically — is ongoing and represents a meaningful open problem in the space.

Practical Considerations for Bridge Users

If you use a bridge, a few questions are worth asking before you commit funds:

  • Who controls the locked assets? A centralized custodian, a multisig, or a smart contract with no admin keys?
  • Has the code been audited? By whom, when, and what was the scope?
  • How much value is currently locked? Bridges with very large total value locked are higher-profile targets.
  • Is the bridge upgradeable? If so, who holds the upgrade keys?
  • What is the worst-case scenario? If the bridge is exploited, is there any recourse or insurance?

None of this is a reason to never use bridges — they serve real purposes, and many operate without incident. But the risk is asymmetric: bridge users absorb a type of smart-contract and custodial risk that does not exist when staying on a single chain. Understanding crypto security best practices is worthwhile before using any bridge with meaningful funds.

Key Takeaways

  • A sidechain is an independent blockchain connected to a main chain via a two-way bridge; it does not inherit the main chain’s security.
  • Bridges work by locking assets on the source chain and minting representations on the destination — trust in the bridge is trust in whoever controls the lock.
  • Most production bridges rely on multisig arrangements, making private key security the critical failure point.
  • Smart contract bugs, compromised signers, and flawed message verification have each caused major bridge exploits.
  • ZK-based and light-client bridges aim to be more trust-minimized but are technically harder and less mature.
  • Users should evaluate who controls bridge funds and whether the contracts have been audited before moving significant value.

Next up: Smart Contracts