Someone will eventually realize that every cross‑chain bridge is built on borrowed time. In essence, that button is a fault-tolerant quantum computer, and "eventually" could be within the next few years.
Crypto bridges, the pipes that let tokens leave one chain and appear on another, depend almost entirely on elliptic curve cryptography (ECC) to prove identity. Break ECC, and a liquidity layer worth tens of billions could collapse overnight.
Are bridge teams even close to being ready to start mitigating this threat? To answer that, we need to look at how bridges actually move value.
Cracks Are Showing in the Cross‑Chain Foundation
Bridges sit between origin and destination chains, verifying deposits on Chain A and minting or unlocking assets on Chain B. No central custodian signs transactions. Validator clusters use digital signatures derived from ECC keys.
That design choice keeps bridging fees somewhat low compared to moving assets across traditional finance pipes, but it leaves a single load-bearing cryptographic weak point.
In practice, a bridge usually performs four jobs, in sequence:
The bridge observes a lock or burn event on the origin chain
It then signs an attestation that the event is real
The bridge then relays that signed message to the destination chain
Finally, it mints or releases the equivalent asset on arrival
When the process goes smoothly, the result is that the assets from the first chain are transmitted to the second chain. Every step except the initial observation relies on signatures derived from curves such as secp256k1 or Ed25519.
Examining a few implementations illustrates the pattern here. The extremely popular Solana‑to‑Ethereum route in Allbridge signs transfers with ECDSA validators, Wormhole guardians call the ECDSA Sign function to approve messages, and Synapse contracts expose curve helpers.
Notably, none of these public documents mentions a post‑quantum fallback. Publicly available materials on the topic distill to the following snapshot:
The pattern is stark. Every leading bridge hinges on ECC, and none advertises a post‑quantum roadmap. The conclusion left is that the entire grouping will be vulnerable until a high-profile hack, after which they'll scramble to implement solutions. In such haste, the chosen solutions might be vulnerable too.
But why does everyone still rely on curves that Satoshi chose back in 2009?
The short answer is inertia. Wallet libraries, hardware secure elements, and exchange custody systems are all optimised for 64‑byte signatures. Those pieces form a dependency graph that is hard to recompile mid‑flight. Bridges, living at the intersection of multiple chains, feel that brittleness more sharply than single‑chain protocols.
Swap that out for Dilithium and each signature swells to roughly 2700 bytes. Multiply by the dozens of guardian votes Wormhole needs to finalise a message, and the call data fee alone could eat several dollars per swap on Ethereum.
Developers fear users will balk at that surcharge and move to cheaper but less secure wrappers, and the fears are well-grounded.
A Security Checklist For the Quantum Era
Despite the above, there's already a clear path for bridges to take to become quantum-secure, provided that they're willing to invest the effort.
NIST finalised the first batch of post‑quantum standards in 2024. The algorithms are public and production-ready, yet bridges have stayed put because the migration penalty is real.
Teams face at least four obstacles:
Signature sizes balloon from 64 bytes to several kilobytes, raising gas costs
Smart contract bytecode limits can make lattice maths awkward or unusable without a recompile
Off‑chain relayer software must synchronise upgrades across all supported chains
Software wallets and hardware signers need new code before users can approve anything
Those hurdles are not insurmountable. The Sui network already experiments with post‑quantum signatures, proving that performance can stay within DeFi tolerances.
Separately, there is also a perception that until a quantum computer is demoed breaking ECC in the wild, any upgrade is premature. That framing ignores the insurance nature of cryptography, and it rejects best practices in computer security.
By the time a break is public, the attacker will have been forging signatures for months. And where there might be only one attacker initially, it's practically guaranteed that others will figure out how to implement similar attacks once details of their approach are made public.
What If Quantum Lands First?
A Capgemini study reported that 60% of large firms expect "Q‑day" within the next decade.
That horizon may feel distant, yet attackers are already collecting ciphertext for harvest‑now-crack‑later campaigns. Bridges serve as juicy targets because a single signature can authorize transfers of entire liquidity pools.
Because curve signatures are deterministic, a future forging could let them mint wrapped assets retroactively, rewriting bridge history. Even an honest chain cannot reverse coins that were never really there.
Classical attackers have already shown what is at stake.
High profile exploits include the $625 million Ronin theft, the $100 million Harmony breach, and the $190 million Nomad incident. Each used smart contract bugs or compromised keys, not quantum tricks, yet quantum tooling would let an attacker bypass even a well‑audited codebase by forging validator signatures outright. And, at present, most of the codebases involved aren't convincingly "well-audited" either.
Therefore, risk management needs probability and impact. The probability of Q‑day within five years sits somewhere between 5% and 20% depending on which lab you ask, but the impact is a near‑total loss of bridged liquidity. That expected value already exceeds the cost of integrating ML‑DSA, especially for bridges that pull seven figures in fees every month.
Investors should assume a worst-case scenario, where liquidity is frozen or, more likely, vanished, wrapped assets are unredeemable, and regulators are asking how an industry that saw this train coming still left the door unlocked.
Where Bridge Builders Go From Here
The roadmap for implementing fixes is more incremental than apocalyptic.
Validator clusters can start by running dual stacks, with ECDSA for backward compatibility and ML‑DSA for forward safety, then switch default paths once wallets catch up.
That migration mirrors the TLS 1.2 to 1.3 shift.
Bridge engineers thus must:
Be crypto agile
Have an abstraction layer that supports multiple methods of attestation
Write smart contracts that verify PQC algorithms
Not assume you will be told when quantum computing has scaled sufficiently to be a threat
Users can supply market pressure by demanding quantum guarantees before risking assets, and investors should price bridges with an eye on upgrade velocity.
Sui's prototype shows a phased migration path that's widely workable. First, add lattice keys as an optional alternative, then gather performance data, then flip defaults. Bridges could copy that playbook long before wallets catch up by using internal Dilithium keys to secure validator chatter while still accepting ECDSA from end users.
Furthermore, a governance proposal on any major bridge could allocate a small slice of emissions to fund a dedicated PQC testnet. That testnet would measure gas overhead, stress‑test signature aggregation, and give security researchers a target. The relative cost rounds to basis points compared with the value at stake.
Regulators are starting to notice the glaring need for PQC sanity. Executive Order 14144 on post‑quantum migration gives federal agencies five years to finish their effort, which is a relatively short timetable for the federal government to move on. The logical conclusion here is that stablecoin issuers that custody reserves via bridges will face awkward questions if their settlement rail is still vulnerable in 2030. Delaying an upgrade could morph from a question of engineering debt to one of legal liability.
What You Can Do
For investors, the due‑diligence checklist now includes a column that asks whether a bridge has published a PQC roadmap. Protocols that can tick that box may deserve a slight valuation premium over equally liquid but less forward‑looking peers.
If the quantum era arrives before the upgrade, bridges will be the industry's weakest link. If the upgrade arrives first, bridges could become a showcase for crypto's ability to evolve aggressively in the face of emerging threats.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
