Why Security and Decentralization Matter Now More Than Ever
TL;DR
A recent high-profile crosschain exploit reportedly drained roughly $292M, the largest crypto hack of 2026 so far. The crosschain layer is back under the microscope, and the lesson is the same one users keep paying for: bridge security is not a feature, it is the architecture.
Across does not run on a static validator set, a multisig, or wrapped tokens that can be minted out of thin air. It runs on a permissionless network of independent relayers who front their own capital to fill user intents.
The relayer network is decentralized by design. Anyone can run one. The first to deliver wins. Users never wait on a closed group of signers to approve a transfer.
Settlement is verified after the fact by UMA's optimistic oracle. Only one honest participant has to dispute a bad bundle for the system to hold. That is the security floor.
Across has processed $35B+ across all integrations and, as of this writing, has never lost user funds to a protocol-level failure (per the Across docs). Move money safely with across.to.
Last month, a high-profile crosschain protocol was reportedly drained for around $292M in a single incident, making it the largest crypto exploit of 2026 so far. The funds did not leak through a smart contract bug in the user-facing app. They leaked through the messaging and verification layer that bridges depend on, the off-chain machinery that decides whether a message from one chain is allowed to move money on another.
That distinction matters. It matters because most bridge users are not evaluating messaging layers when they click "Confirm." They are evaluating the front end. The depth chart. The fee. The branding. And they assume, reasonably, that the protocol underneath the button has done the security work for them.
Sometimes it has. Sometimes it has not. And when it has not, users are the ones holding the bag.
The crosschain industry as a whole loses when any major bridge fails, because every failure resets user expectations downward and tarnishes the greater crypto brand, slowing down the potential of mass adoption. But the recent incident is a useful reminder of why Across has been designed the way it has been, and why the choices that look "boring" in a bull market. Our relayer network, the canonical-asset rule, the optimistic-oracle settlement are exactly the choices that decide whether a user keeps their money or loses it.
Three things matter here. The architecture of the relayer network. The decentralization of that network. And the rule that the user is never the one taking the risk.
The Relayer Network Is the Bridge
Most bridges, historically, have asked the user to trust one of two things. Either a closed validator set, or a wrapped representation of the asset they were trying to move. Both are fragile. A closed validator set is only as secure as the smallest subset that needs to collude or be compromised, which is how Ronin lost roughly $624M in 2022 when five of nine validator keys were taken. A wrapped asset is only as secure as the contract that mints it, which is how Wormhole lost roughly $320M in the same year when an attacker found a way to mint wrapped tokens without proper collateral.
Across does not have a validator set in the traditional sense, and Across does not mint wrapped tokens. Across has a relayer network.
A relayer is an independent third-party operator running specialized infrastructure across many chains. When a user submits an intent — "I want to send X amount of token A from chain 1 to chain 2" — that intent is broadcast to every relayer watching. The relayers race. The first one to deliver the funds on the destination chain and submit valid proof to Across' on-chain SpokePool contract wins the fill. That is the entire user-facing flow. The user gets their funds in seconds. The relayer gets reimbursed later, after settlement.
What this design changes is who carries the risk. In a traditional bridge, the user fronts the asset and waits for a closed set of signers or a messaging layer to confirm the transfer. In Across, the relayer fronts the capital. The relayer absorbs the finality risk, the gas risk, and the timing risk. The user receives canonical assets directly from the relayer's balance, near-instantly, and walks away.
That risk shift is the structural part. The decentralization is what keeps it honest.
Decentralized by Design, Not by Marketing
A network of relayers is only meaningfully different from a validator multisig if anyone can join it. Across' relayer network is permissionless. There is no allowlist, no KYC gate at the protocol level, no committee that decides who is allowed to fill orders.
Why does this matter for security? Because a permissionless relayer market is competitive in a way that closed validator sets are not. Relayers compete on speed and on fee. The fastest, most capital-efficient operators win the most fills. There is no privileged position. No relayer is "guaranteed" to win the next intent. If one relayer goes offline, gets compromised, or starts behaving badly, the other relayers route around them in milliseconds, because they want the fill themselves.
That is a different shape of decentralization than a 5-of-9 validator multisig. A multisig is decentralized in name. A handful of named entities with named keys hold the power, and if enough of those entities are reached, the system breaks. A permissionless relayer market is decentralized in operation. It does not depend on any specific operator being honest. It depends on the marketplace as a whole continuing to exist, which is a much harder thing to attack.
The settlement layer extends the same principle. After a relayer fills an intent, the fill gets bundled with every other recent fill and submitted to the HubPool on Ethereum mainnet. The bundle goes through a roughly one-hour liveness window. During that window, anyone can dispute the bundle if they think something is wrong. Not just the team. Not just the relayers. Anyone. If the bundle is challenged, the dispute is resolved by UMA's optimistic oracle, which surfaces the question to UMA token holders for a vote. If the bundle is correct, it finalizes and the relayer gets reimbursed. If it is not, the proposer's bond gets slashed.
The security guarantee that comes out of this is unusual in bridging: the system stays secure as long as at least one honest participant is watching. Not five of nine. Not a quorum of validators. One. That is a much weaker assumption than most bridges run on, which is the entire point.
User Security First, By Construction
There is a phrase Across has used since 2022 that has aged better than most marketing copy: canonical asset maximalism. The idea is simple. When a user bridges 1 ETH, they should receive 1 ETH at the destination. Not a wrapped token. Not a representation. Not an IOU minted by a bridge contract that may or may not be solvent. Real ETH. The same goes for stablecoins, for major L2 assets, for anything Across moves.
This sounds like a UX choice. It is mostly a security choice.
What the Recent Exploit Should Teach the Industry
The recent high-profile crosschain exploit was, by most accounts, a failure of the off-chain verification layer that connects two chains, not a failure of any single smart contract. That failure mode has been visible for years. It is the same shape as Ronin in 2022. It is the same shape as Multichain in 2023. The specific technical details vary, but the structural lesson does not. If a small set of off-chain operators or a closed messaging layer is the thing standing between a user and their money, that small set is the attack surface, full stop.
The industry's answer cannot be "trust us, we will be more careful." It has to be architectural. A bridge that depends on a closed set of validators or a wrapped-asset minter will, eventually, lose user funds when that closed set is compromised. A bridge that depends on a permissionless market of relayers, canonical assets, and optimistic dispute resolution does not have that single point of failure to begin with.
That is the case for Across, and it is the case Across has been making since 2022. It has not gotten less true. If anything, every new exploit makes it more obvious.
The bottom line
Across has processed more than $35B in crosschain volume across all integrations, and per the Across docs, has never lost user funds to a protocol-level failure. That is not a guarantee. Nothing in crypto is. But the architecture under that track record is the architecture that makes the track record possible. Decentralized relayers. Canonical assets. Optimistic verification. User funds in escrow that no team can move.