Six trust models cover essentially every bridge in production today. Roughly strongest-to-weakest:
1. Light-client (e.g. IBC, Snowbridge BEEFY)
Each chain runs a verifier of the other chain's consensus. When chain A's validators sign a block, chain B's contract verifies that signature directly — no off-chain attestation.
Strengths: - Trust assumption ≈ "trust the source chain's validator set" — same as trusting the source chain itself. - No multisig to compromise. No federation. No challenger window. - Atomic — if the proof verifies, the mint happens; if it doesn't, nothing moves.
Weaknesses: - Expensive to build. Light-client contracts are dense cryptography. - Hard to upgrade. Changing the source chain's consensus rules (e.g. Ethereum's Beacon chain hard-fork) requires upgrading the light client on every destination chain.
Examples: IBC (Cosmos), Snowbridge (Polkadot↔Ethereum). The wallet has both.
2. Centralised attestation (e.g. CCTP, Ripple's native bridge)
A single entity issues attestations that the lock happened. Their signature triggers the mint.
Strengths: - Simple. Fast. Cheap. - The trust is concentrated and the entity is regulated (Circle, Ripple).
Weaknesses: - If the entity is compromised, sanctioned, or shuts down, the bridge stops. - Censorship-vulnerable. The attestor can refuse to sign for any user.
Examples: CCTP (Circle USDC), Ripple-operated native XRPL↔XRPL-EVM. The wallet has both.
3. Federated multisig (e.g. early Axelar, Wormhole)
A group of N validators (often 13-19) signs to release funds. A threshold (typically ⅔) is required.
Strengths: - More decentralised than a single attestor. - Diverse validators across operators, jurisdictions, hardware.
Weaknesses: - Compromise t (the threshold) → drain the lock. - Several federations have been compromised this way. Ronin Bridge 2022 lost $600M from a 5-of-9 multisig compromised by phishing 5 validators.
Examples: Wormhole (19 guardians), Axelar (~70 validators, BFT consensus), LayerZero (5-of-7 DVN multisig per app).
4. Optimistic (e.g. Across, Nomad)
Withdrawals are pending for a challenge window (typically 7 days). During the window, anyone can post a fraud proof that says "this attempted withdrawal isn't backed by a real lock — here's the proof". A valid fraud proof reverts the withdrawal and rewards the challenger.
Strengths: - Trust assumption = "at least one honest watcher exists who will challenge fraud". - Cheaper than light-client; no specialised cryptography.
Weaknesses: - 7-day wait for withdrawals (mitigated by "fast withdrawal" relayers who advance the funds and collect a fee). - A single honest watcher must actually exist + actually watch. Nomad lost $190M when a faulty contract upgrade let an invalid root be accepted, and no challenger flagged it in time.
Examples: Across, Hyperlane in some configs. The wallet doesn't use optimistic bridges in iter-A through H.
5. Liquidity-network (e.g. Connext, Hop)
The bridge maintains liquidity pools on both chains. A user deposits on chain A and gets paid out from the chain-B pool immediately. The bridge later rebalances via a slower trust-minimised path (typically optimistic).
Strengths: - Fast user experience (no withdrawal wait). - Each transaction is small relative to the pool — limits maximum loss from a compromise.
Weaknesses: - The chain-B pool is a finite pot. Big bridges drain it; you wait for rebalance. - Underlying trust is whatever the rebalancing path uses (often optimistic).
6. Atomic swap (HTLC)
Pure trustless. Both parties lock funds in a Hash Time-Locked Contract; one party reveals a secret that lets both parties claim. If the secret isn't revealed in time, both funds refund.
Strengths: - Zero trust. Pure cryptography.
Weaknesses: - Requires both chains to support compatible smart contracts. - Bad UX. Manual. - Mostly used for Bitcoin ↔ Ethereum DEX trades, not wallet bridging.
How the wallet ranks them
The wallet's bridge picker sorts available bridges by security tier for each (source, destination, asset) route:
- Light-client (IBC, Snowbridge)
- Centralised but well-audited (CCTP, Ripple native)
- Federated with large validator sets (Axelar, Wormhole)
- Federated with small validator sets (LayerZero)
The user sees the ranking + the fee + the latency + a "Recommended" badge on the top-ranked bridge. They can override.
What this means for you
Bridging is the riskiest operation in the wallet. The chain hop happens on someone else's trust assumption. Pick light-client where possible (intra-Cosmos, Polkadot↔ETH). For everything else, understand which trust model you're picking.
Next: the 6 bridges the wallet uses in detail.