Home /Bridges /Lock & Mint

Lock-and-Mint Bridges

The oldest and most intuitive bridge design: lock a token on Chain A, mint a synthetic representation on Chain B. When you want to go back, burn the synthetic and unlock the original. Simple in concept — treacherous in execution. This page dissects the mechanism, the trust assumptions, and why billions have been lost when these systems fail.

🔄 Token Flow Animation

Watch tokens move through the lock-and-mint lifecycle. Click steps to advance manually or let it auto-play.

User sends native tokens to the bridge contract on the source chain.

📊 WBTC vs Portal (Wormhole) vs tBTC

Three lock-and-mint implementations, three wildly different trust models.

WBTC

  • Custodian: BitGo (centralized)
  • TVL: ~$5B+
  • Trust: Single entity holds all BTC
  • Minting: Merchant-gated (not permissionless)
  • Audit: Proof-of-reserve on-chain
  • Risk: BitGo compromise = total loss

Portal (Wormhole)

  • Guardians: 19 validators (⅔ quorum)
  • TVL: ~$1B+
  • Trust: Multisig of known entities
  • Minting: Permissionless
  • Hack: $320M (Feb 2022) — signature bypass
  • Risk: Guardian collusion or bug

tBTC v2

  • Custodian: Decentralized signers (Threshold Network)
  • Trust: Random signer selection + staking
  • Minting: Permissionless
  • Collateral: Staked T tokens as bond
  • Risk: ⅓ signer collusion, smaller TVL

⚠️ Risk Simulator

How much value is at risk? Adjust parameters to model lock-and-mint failure scenarios.

$2,000M
19
67%
$5M

🔥 Lock-and-Mint Exploits Timeline

Every major lock-and-mint bridge exploit, and what went wrong.

Feb 2022 — Wormhole ($320M)

Attacker bypassed signature verification on Solana side, minting 120k wETH unbacked. Jump Trading covered the loss.

Mar 2022 — Ronin Bridge ($625M)

North Korea's Lazarus Group compromised 5 of 9 validators (4 Sky Mavis + 1 Axie DAO). Wasn't discovered for 6 days.

Aug 2022 — Nomad ($190M)

A botched upgrade made every message valid by default. Hundreds of copycat attackers drained the bridge in a "decentralized robbery."

Jul 2023 — Multichain ($126M)

CEO held all private keys. Chinese authorities arrested him; funds moved from MPC wallets. Project collapsed entirely.

⚖️ Maintaining the Peg

A wrapped token should always be worth exactly 1:1 with its backing asset. Here's what maintains — or breaks — that peg.

Hover over the chart to see peg deviation events.