Bridges are where the money moves — and where the money gets taken.
The Ronin exploit: $625M. Wormhole: $325M. Nomad: $190M. Every major bridge exploit follows a similar arc: anomalous transactions execute on-chain, the bridge's own monitoring doesn't catch it, community members notice hours later when the damage is done.
The blockchain records everything in real time. The problem has never been visibility — it's been the absence of a monitoring layer that acts on what the blockchain is already saying.
The monitoring gap in cross-chain infrastructure
Bridge security research focuses heavily on smart contract audits, economic design, and validator security. These matter. But none of them solve the operational monitoring problem: what happens when something anomalous starts executing right now?
On-chain anomalies have signatures. A bridge getting systematically drained doesn't happen in one transaction — it happens in a pattern. Large sequential withdrawals. Transactions from unusual initiating addresses. Withdrawals that exceed the typical size distribution by several standard deviations. Protocol interactions from wallets that were dormant for months.
Catching these patterns requires watching continuously, not auditing after the fact.
What 0watch monitors on bridge infrastructure
Large withdrawal detection — Define what "large" means for your bridge's TVL and liquidity profile. 0watch alerts the moment a single withdrawal exceeds that threshold, giving your team time to investigate before subsequent transactions execute.
Velocity monitoring — Legitimate bridge usage has characteristic transaction frequency. An unusual spike — particularly in withdrawals from the same destination address or contract — is a flag worth examining immediately.
Anomalous address activity — Watch specific wallet addresses that have exhibited suspicious patterns in the past, or set up monitoring on the bridge contract itself to catch interactions from unexpected callers.
Protocol exposure alerts — If a bridge contract starts interacting with addresses outside its expected counterparty set, that warrants attention. 0watch can alert on any transaction involving an unapproved contract address.
Failed transaction monitoring — Failed transactions on bridge contracts often indicate probing behavior or unexpected state. Surface them as they happen.
Setting up cross-chain monitoring
Monitor a bridge contract across multiple chains from a single setup:
# 1. Get an API key
curl -X POST https://watch.0agent.ai/api/keys \
-H "Content-Type: application/json" \
-d '{"owner_email": "[email protected]"}'
# 2. Register the bridge contract on each chain
curl -X POST https://watch.0agent.ai/api/wallets \
-H "X-API-Key: owk_..." \
-H "Content-Type: application/json" \
-d '{
"address": "0xYourBridgeContractEthereum",
"label": "Bridge — Ethereum",
"chain": "ethereum"
}'
curl -X POST https://watch.0agent.ai/api/wallets \
-H "X-API-Key: owk_..." \
-H "Content-Type: application/json" \
-d '{
"address": "0xYourBridgeContractArbitrum",
"label": "Bridge — Arbitrum",
"chain": "arbitrum"
}'
# 3. Set conservative alert thresholds for security monitoring
curl -X POST https://watch.0agent.ai/api/webhooks \
-H "X-API-Key: owk_..." \
-H "Content-Type: application/json" \
-d '{
"wallet_address": "0xYourBridgeContractEthereum",
"url": "https://your-security-endpoint/hooks/bridge",
"threshold_eth": 100.0,
"velocity_limit": 20,
"failed_transactions": true,
"approved_protocols": [
"0xKnownCounterpartyArbitrum",
"0xKnownCounterpartyOptimism"
]
}'
For a full security monitoring setup using the SDK:
import { watch } from '@0agent/watch'
const bridgeContracts = [
{ address: '0xBridgeEthereum', chain: 'ethereum', label: 'Bridge — Ethereum' },
{ address: '0xBridgeArbitrum', chain: 'arbitrum', label: 'Bridge — Arbitrum' },
{ address: '0xBridgeOptimism', chain: 'optimism', label: 'Bridge — Optimism' },
{ address: '0xBridgeBase', chain: 'base', label: 'Bridge — Base' },
]
for (const contract of bridgeContracts) {
watch.register({
wallet: contract.address,
chain: contract.chain,
label: contract.label,
alerts: {
transferLimit: 100, // alert on transactions > 100 ETH equivalent
velocityThreshold: 20, // alert if > 20 txns/hour
failedTransactions: true, // surface all failed txns
protocols: APPROVED_COUNTERPARTY_LIST,
},
webhook: 'https://your-security-endpoint/hooks/bridge',
})
}
What to do with an alert
The point of real-time monitoring is to create response time. When a 0watch alert fires on a bridge contract, the question is: is this legitimate high-volume activity, or the start of an exploit pattern?
The webhook payload gives you what you need to make that call quickly:
{
"alert_type": "threshold_exceeded",
"wallet_address": "0xBridgeContractEthereum",
"wallet_label": "Bridge — Ethereum",
"transaction_hash": "0xabc...",
"block_number": 21847500,
"value_eth": 450.0,
"from": "0xInitiatingWallet",
"to": "0xBridgeContractEthereum",
"timestamp": "2026-03-12T04:22:11Z",
"chain": "ethereum"
}
From this you can: check if the initiating wallet is known, verify against expected TVL limits, cross-reference with your own transaction logs, and decide whether to escalate to your incident response flow.
Many bridge teams route 0watch alerts to PagerDuty for immediate on-call notification. For critical threshold breaches, some teams integrate automated circuit breakers — pausing bridge operations pending human review — triggered by the webhook.
Beyond bridges: cross-chain applications
The same monitoring pattern applies to any cross-chain architecture:
L2 sequencer monitoring — Watch for unusual transaction batches or anomalous state root submissions.
Omnichain token contracts — Alert on large mints or burns that could indicate a bridge exploit in progress.
Cross-chain governance — Monitor for unexpected execution on timelocked contracts across chains.
Agent wallets operating cross-chain — AI agents increasingly operate across multiple chains. If your agent has wallets on Base and Ethereum, 0watch covers both from one setup.
The cost of not monitoring
Bridge exploits consistently share one characteristic: the on-chain activity was visible before the response began. The Ronin attacker moved funds over six days. Nomad was drained over six hours in a chaotic free-for-all after the initial vector was discovered. In both cases, the chain was telling the story in real time.
Monitoring doesn't prevent exploits. It compresses the response window — and in DeFi, response time is the difference between a contained incident and a total loss.
Start monitoring bridge infrastructure
Free tier covers 3 addresses. For serious bridge or protocol security monitoring with real-time alerts and full history, Developer tier starts at $49/month.