Garden Finance, a cross-chain bridge protocol, lost approximately $11 million after a compromised solver drained funds from the platform.
The protocol has offered a 10% bounty for the return of the stolen funds. It’s also seeking help understanding exactly how the exploit occurred.
What happened and why it matters
The attack targeted Garden Finance’s solver, essentially the market-maker mechanism that facilitates cross-chain transactions. Bridges move assets between different blockchains, and solvers are the middlemen that match and execute those trades.
Garden Finance has stated that user funds were not affected by the exploit, suggesting the vulnerability was isolated to the protocol’s operational infrastructure rather than user-deposited assets.
Security researchers have raised concerns about whether the compromised solver was truly an independent third party or part of Garden’s own internal infrastructure. If it’s the latter, the vulnerability wasn’t some rogue external actor exploiting a permissionless system, but rather a failure in the protocol’s own key management and operational security.
Many bridge protocols rely on a small number of trusted actors to verify and relay messages between chains. When those actors are compromised, whether through social engineering, poor key hygiene, or insider access, the entire system can unravel.
Bridges remain crypto’s softest target
Security analysts have repeatedly warned that many bridge architectures are inherently fragile, relying on weak message verification and centralized key management. Bridges sit at the intersection of multiple trust models, and the bridge itself has to reconcile those differences often through off-chain relayers or multisig schemes that introduce centralization risk.
The Garden Finance exploit arrived around the same time as another bridge incident involving the Ronin Bridge, which saw $11.33 million withdrawn by a Maximal Extractable Value (MEV) bot. Sky Mavis, the company behind Ronin, asserted that core bridge reserves remained safe.
The Ronin Bridge was previously the target of one of the largest DeFi exploits ever, a $620 million theft linked to North Korean hackers, which became a case study in why centralizing trust in a small set of validators creates catastrophic single points of failure. The Wormhole bridge suffered a separate $322 million exploit.
What this means for investors
Garden Finance’s 10% bounty offer is intended to incentivize the attacker to prefer a guaranteed payout over the risk of being tracked or prosecuted. The fact that Garden is simultaneously asking for help understanding the exploit’s root cause suggests the team is still piecing together what went wrong.
Every bridge interaction is an implicit bet that the bridge’s off-chain infrastructure, key management, and smart contract logic are all functioning correctly, simultaneously, under adversarial conditions.