How Does Across Protocol Work?

Bridge|Risk C+|7 mechanisms|5 interactions

A bridge that moves crypto between blockchains by having professional relayers front the money for instant transfers. It holds $41M in liquidity pools and has never been directly exploited in 2+ years of operation. Its C+ grade reflects the use of a custom oracle system (UMA) that has a proven attack vector demonstrated in the $7M Polymarket incident.

TVL

$28M

Sector

Bridge

Risk Grade

C+

Value Grade

C

Core Mechanisms

Bridge/Intent-Based

Novel

Intent-based cross-chain bridging where users declare desired outcome

Users submit transfer intents specifying source chain, destination chain, and amount. Relayers compete to fulfill intents. While intent models are spreading, Across's relayer-fronted capital model remains differentiated.

Oracle/Optimistic

Novel

UMA optimistic oracle for cross-chain transfer verification

Relayer fills are verified through UMA's optimistic oracle: proposer submits a claim with a bond, 1-hour challenge window opens, and unchallenged claims are accepted. Disputes escalate to UMA's DVM.

Bridge/Relayer

Competitive relayer network fronting capital for instant bridging

Relayers front their own capital to fulfill user intents immediately, then are reimbursed from liquidity pools after optimistic verification. Relayer models are now standard in bridge designs.

Liquidity/Single-Sided

Single-sided liquidity pools on Ethereum mainnet for relayer reimbursement

LPs deposit assets into single-sided pools on Ethereum. Pools reimburse relayers after verified fills.

Governance/ACX

ACX token governance with staking for protocol security

Standard governance token with staking for additional economic security.

Fee/Dynamic

Dynamic bridge fees based on route liquidity and relayer competition

Standard dynamic fee model based on available liquidity and gas costs.

Security/Escalation

Multi-step dispute escalation from optimistic to full DVM resolution

Standard dispute escalation pattern from optimistic oracle to full DVM token holder vote.

How the Pieces Interact

UMA optimistic oracleCross-chain verificationHigh

The Polymarket governance attack (March 2025) demonstrated that UMA's oracle can be manipulated by accumulating 25% of voting power. If applied to Across, fraudulent bridge fills could be validated.

Relayer networkCapital concentrationMedium

Relayer network concentration among few well-capitalized actors introduces censorship risk and reduces decentralization guarantees, though it does not directly endanger user funds.

1-hour optimistic windowDispute mechanismMedium

The short 1-hour challenge window prioritizes speed over security; if disputers are offline or economically disincentivized, fraudulent fills could be finalized without challenge.

Single-sided LP poolsRelayer reimbursement timingLow

During high bridge volume, LP pool utilization could spike, creating temporary shortfalls where relayers cannot be reimbursed promptly.

Intent fulfillmentCross-chain finalityLow

Chain reorganizations after intent fulfillment could create double-spend scenarios or orphaned relayer fills.

What Could Go Wrong

  1. UMA optimistic oracle demonstrated vulnerability in the March 2025 Polymarket attack ($7M loss) where a single entity accumulated 25% of voting power to manipulate market resolution. The same vector could theoretically be applied to Across bridge verification.
  2. Intent-based architecture depends on active relayer network; relayer concentration creates censorship risk and single points of failure for bridge execution.
  3. Custom oracle system (UMA optimistic oracle) with a 1-hour challenge window trades security for speed. If disputers are offline or economically disincentivized, fraudulent fills could be finalized.

UMA Oracle Governance Capture

Tail

Trigger: A single entity accumulates 25%+ of UMA voting power and submits fraudulent bridge fill proposals during a period of low disputer activity

  1. 1.Attacker accumulates sufficient UMA tokens to control 25% of Data Verification Mechanism votes Attacker can propose and validate fraudulent bridge fills through the optimistic oracle
  2. 2.Fraudulent fill proposals pass the 1-hour optimistic challenge window unchallenged LP pools reimburse attacker for fills that never occurred on destination chains
  3. 3.LP pool balances drain as fraudulent reimbursements accumulate Legitimate relayers cannot be reimbursed, halting bridge operations
  4. 4.Bridge users with in-flight transfers face failed or delayed completions Trust in Across collapses; users migrate to competing bridges
  5. 5.ACX token crashes as protocol's core security assumption is invalidated Remaining LP capital exits, making recovery economically unviable
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty6/15
Interaction Severity8/20
Oracle Surface7/10
Documentation Gaps2/10
Track Record3/15
Scale Exposure3/10
Regulatory Risk3/10
Vitality Risk6/10
C+

Overall: C+ (38/100)

Lower score = safer

More on Across Protocol

Is Across Protocol Safe?

Safety analysis

Is Across Protocol a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related Bridge Explainers

How Does CrossCurve Work?D+How Does LI.FI Work?D+How Does Jumper Exchange Work?D+How Does Axelar Work?C-How Does deBridge Work?C-