Infrastructure

Comment les bridges de stablecoins échouent vraiment (et ce que 2025 a corrigé)

By Anurag Verma•April 22, 2026

When people talk about bridge hacks, the mental model is usually a clever exploit of a smart contract. Ronin, Wormhole, Nomad, Multichain. Over $2.5 billion drained across the major incidents. The industry response has been predictable: more audits, more formal verification, more bug bounties.

That framing misses the real story. Most stablecoin bridges didn't fail because of a Solidity bug. They failed because the architecture itself was wrong. And through 2025, that architecture got replaced.

The lock-and-mint original sin

The dominant bridge pattern for years was simple: lock USDC on chain A, mint a wrapped representation (USDC.e, axlUSDC, whUSDC, pick your prefix) on chain B. The wrapped token is an IOU backed by the locked collateral.

This creates four failure modes, and every major hack hit at least one of them:

1. The honeypot problem. Every dollar of wrapped stablecoin in circulation means a dollar sitting in a bridge contract. A bridge with $500M TVL is a $500M bounty. Security scales linearly with TVL, but the incentive to attack scales the same way. You're racing an adversary with an unlimited budget for zero-days.

2. Validator set compromise. Most bridges delegate mint authority to a multisig or a proof-of-authority validator set. Ronin was nine validators, five of which got phished. Harmony was two keys. The cryptography was fine. The human layer wasn't.

3. Message verification gaps. Nomad's exploit wasn't clever. A bad initialization made every message look pre-approved. Anyone with copy-paste skills could drain it. The bridge was technically working as coded.

4. Fragmented liquidity and oracle lag. Even when nothing gets hacked, wrapped stablecoins drift from peg during stress. USDC.e on Avalanche traded at $0.87 during the March 2023 depeg because arbitrage was gated by the bridge itself. The bridge becomes its own oracle, and that oracle breaks exactly when you need it most.

What wrapped assets actually are

Here's the part that took the industry too long to admit: a wrapped stablecoin is not the same asset. It's a bridge-issued credit instrument denominated in the original stablecoin. USDC on Ethereum is a Circle liability. USDC.e on Avalanche was an Avalanche bridge liability backed by a Circle liability.

You've added counterparty risk, smart contract risk, and validator risk on top of an asset whose entire value proposition is being risk-free. For payments infrastructure, that's unacceptable.

The 2025 shift: native issuance everywhere

The fix isn't better bridges. It's eliminating the need to bridge stablecoins at all.

Circle's CCTP (Cross-Chain Transfer Protocol) moved from curiosity to default in 2024, and by mid-2025 it became the dominant path for USDC movement. The mechanic is burn-and-mint: USDC on chain A is burned, Circle attests to the burn, USDC on chain B is minted natively by Circle. There is no wrapped token. No locked collateral pool. No bridge honeypot.

Tether followed with a similar model for USDT via native deployments on 14+ chains. PayPal's PYUSD launched natively on Solana rather than bridging from Ethereum. Paxos did the same for USDG across its deployments.

The pattern is consistent: the issuer controls mint and burn across all chains, and movement between chains is settled through the issuer's attestation layer rather than a third-party bridge.

What this actually changes

Several things shift once native issuance becomes the norm.

The attack surface collapses. There's no multi-hundred-million-dollar contract sitting somewhere waiting to get drained. An attacker who compromises CCTP still needs Circle's attestation signatures, which live in Circle's infrastructure, not on-chain.

Peg integrity holds under stress. Native USDC on every chain is the same asset, redeemable 1:1 with Circle. No depeg scenarios driven by bridge imbalances.

Liquidity unifies. DEX aggregators and market makers stop maintaining six different USDC variants with fragmented books. One asset, deeper liquidity, tighter spreads.

The general-purpose bridges get repositioned. LayerZero, Wormhole, Axelar, Hyperlane: these projects aren't dying, but they're moving off the stablecoin transfer business and focusing on arbitrary message passing, NFT movement, and long-tail asset bridging where native issuance doesn't exist.

What's still broken

Native issuance isn't a complete solution. A few real problems remain.

Settlement latency for CCTP is still 13-20 minutes on Ethereum mainnet because of finality requirements. For trading, that's an eternity. Intent-based systems (Across, CoW, Everclear) now front-run this by fronting liquidity and settling via CCTP behind the scenes, but that reintroduces a counterparty.

Smaller stablecoins still rely on bridges. If you're holding some algorithmic or regional stablecoin, you're still in lock-and-mint territory.

And centralization is the tradeoff people should be honest about. Circle can freeze USDC on any chain. The burn-and-mint model makes that power more absolute, not less. This is acceptable for regulated fiat stablecoins. It would be catastrophic for something trying to be censorship-resistant money.

The architectural lesson

The broader point is that cryptographic security isn't the same as system security. You can have a perfectly audited, formally verified bridge contract and still lose everything because the economic design assumed trust where none existed.

The bridges that survived did so by narrowing their scope. The stablecoins that scaled did so by refusing to be bridged at all. Both are variations of the same insight: the safest system is one with fewer trust assumptions, not one with more sophisticated cryptography compensating for bad ones.

The next design question worth watching is what happens when this pattern extends beyond stablecoins. Native issuance for tokenized treasuries is already here. Tokenized equities are next. At some point, the concept of a general-purpose asset bridge starts looking like a transitional technology we built because we hadn't figured out the right abstraction yet.