In March 2024 BlackRock launched its first tokenised fund on a public blockchain, the BlackRock USD Institutional Digital Liquidity Fund, ticker BUIDL, on Ethereum. By 2025 the fund was available on roughly nine chains including Arbitrum, Aptos, Avalanche, BNB Chain, Optimism, Polygon, and Solana, with cross-chain transfers between several of those networks powered by Wormhole, according to a March 2025 announcement from Wormhole and Securitize. BUIDL is one of the clearest examples of a US enterprise asset relying on a cross-chain bridge in production. The fund crossed $1 billion in assets under management within its first year of operation, per the March 2025 Securitize press release.
Why Bridges Matter Now
A cross-chain bridge moves value between blockchains that otherwise have no native connection. A bridge contract locks the asset on chain A and mints a wrapped representation on chain B, with the protocol maintaining the relationship between the two sides. The largest production use of bridges has been moving stablecoins and tokenised assets between Ethereum and the layer-2 chains that scale it. Once BUIDL added a new share class on Solana with Wormhole interoperability in 2025, an institutional treasury could acquire shares on Ethereum and consume them on Solana without leaving the same legal product.
The same architecture has, however, produced some of the largest crypto thefts on record. Chainalysis reported in August 2022 that cross-chain bridge exploits had accounted for roughly $2 billion in stolen funds that year, or 69 per cent of all stolen crypto in 2022, in an analysis hosted on its blog. The headline incidents from that period were Wormhole, exploited for around $325 million in February 2022, Ronin Network, exploited for around $625 million in March 2022, and Nomad, exploited for around $190 million in August 2022. Each was traced to a specific failure in either validator-set security or contract logic, not to the underlying cryptographic primitives.
How the Architectures Have Diverged
The bridge market did not consolidate after 2022. Instead, it forked into several distinct architectures, each with its own security trade-offs. LayerZero relies on an oracle plus a relayer architecture, with a configurable security stack each deploying application can choose. Wormhole rebuilt around a 19-member guardian set and added staking-based economic security. Axelar uses a permissionless proof-of-stake validator set with slashing for misbehaviour. Chainlink CCIP, released in 2023, added a separate risk-management network that monitors messages in parallel with the relay path. Each of these designs has trade-offs. None is provably correct. All have produced public security writeups and audited contracts.
For an enterprise CTO, the question now is which bridge the application can defend in front of a regulator. The Office of the Comptroller of the Currency made that question more tractable in March 2025 with Interpretive Letter 1183, which confirmed national bank authority to engage in crypto-asset custody and stablecoin activities without prior supervisory non-objection. The letter does not say which bridge a bank should use. It does establish that bridge-aware custody is a permissible business activity, which is the regulatory clarity a bank legal team needs before approving the integration work.
Enterprise Use in 2025 and 2026
BUIDL crossed roughly $2.9 billion in assets at its peak in mid-2025, making it the largest single tokenised US Treasury vehicle on a public chain. BUIDL is the visible enterprise example, but it is not the only one. Franklin Templeton’s on-chain US Government Money Fund (FOBXX) operates across several public chains. PayPal’s PYUSD stablecoin, launched in 2023, has expanded its supported chains over time. Circle’s USDC operates across more than a dozen public chains and runs its own Cross-Chain Transfer Protocol (CCTP) that lets one USDC token burn on the source chain and mint on the destination, removing the bridge as a wrapping intermediary. These deployments share a common pattern. The asset issuer keeps the legal product anchored to one chain, the bridge handles the movement, and the receiving counterparty interacts with the wrapped representation as if it were native.
The corporate audit question follows from there. A bank holding a bridged BUIDL share on Solana has to know how Wormhole’s guardian set is composed, how it is governed,, what happens if guardians fail to sign, and what happens if the bridge contract on either side is compromised. The questions are not new, but in 2026 they are being answered in writing for the first time by US regulators rather than being deferred to a future rulemaking. The OCC, the SEC, and the Federal Reserve have each issued public material that touches on cross-chain operations in the period from 2024 through mid-2026. The cumulative effect is to treat bridges as a normal third-party dependency rather than as an experimental technology.
Security Posture and the Insurance Market
The insurance and audit markets have begun to price bridge risk explicitly. Nexus Mutual and Sherlock both write cover for specific protocols, including major bridges, with premium rates that reflect the protocol’s history. Audit engagements for bridge contracts are routinely longer and more expensive than for single-chain DeFi contracts. Major audit firms in the space, including Trail of Bits and OpenZeppelin, publish many of their bridge engagement reports openly, and contest-style audit platforms including Code4rena and Sherlock have run public competitions on bridge code with prize pools in the hundreds of thousands of dollars. The economics now match the size of the assets at risk, which is a change from the situation only three years earlier.
None of this is foolproof. Bridge incidents continued through 2024 and 2025, though Chainalysis and other on-chain analytics firms report lower frequency than the 2022 peak. That shift reflects how well the contract layer has been audited. It also explains why the human and operational controls around bridge validators are now the subject of as much engineering attention as the cryptography. Validator hardware security modules, multi-party computation for key generation, and dedicated incident response retainers have all become standard line items in bridge operating budgets.
| Date | Bridge | Reported loss |
|---|---|---|
| Feb 2022 | Wormhole | ~$325M |
| Mar 2022 | Ronin Network | ~$625M |
| Aug 2022 | Nomad | ~$190M |
Source: Chainalysis, “Vulnerabilities in Cross-chain Bridge Protocols Emerge as Top Security Risk”, August 2022. Chainalysis estimated $2B in cross-chain bridge theft across 13 incidents in 2022, accounting for 69 per cent of all stolen crypto funds that year.
What to Watch Through 2027
Three threads will shape US enterprise bridge adoption through 2027. First, the GENIUS Act stablecoin framework that became law in July 2025 will produce a set of US-regulated stablecoin issuers, each of which will face the question of whether to bridge or to issue natively on multiple chains. Second, the post-quantum migration timeline will push bridge designs to incorporate post-quantum signatures as US regulators tighten cryptographic expectations through the end of the decade.
Third, the maturation of intent-based bridging and shared sequencer architectures will reduce the need for the user to know which bridge is being used. The UX work happening at the wallet and aggregator layer in 2025 is moving the bridge from a destination to a piece of plumbing. For US enterprise treasurers, the practical question in 2026 is no longer whether a bridge will work. It is which bridge survives the next regulator visit, the next post-quantum cryptography update, and the next composable settlement layer that quietly replaces it. The decision is not whether to use bridges; the decision is how to document the choice in a way that survives a regulator visit and a five-year retrospective.
The story of cross-chain bridges in 2026 is less about hacks than about the slow, deliberate work of integrating bridges into the regulatory perimeter. That work is unglamorous, but it is the precondition for everything else. The protocol layer matured first, the security layer matured second, and the regulatory layer is maturing last. That is the same order in which most successful financial infrastructure has crossed the bridge from research to production.
