Where the real risk sits

Between 2021 and 2024, cross-chain infrastructure lost over $2.5 billion to exploits — most of it from bridge contracts holding pooled liquidity. Ronin: $625M. Wormhole: $325M. Poly Network: $611M. BNB Token Hub: $570M. The pattern is consistent: a single bridge contract holds a large pool of user funds across chains, and a vulnerability in that contract drains the pool.

Notice what's not on that list: the swap layer itself, individual user wallets, or routing infrastructure. The risk is concentrated in liquidity-holding venues, not the act of swapping.

Custodial vs. non-custodial — the single biggest variable

Non-custodial routing means no one takes ownership of your funds — they move from your wallet to a one-time deposit address and settle on-chain. The deposit address is bound to your specific order; the routing engine cannot use it for anything else. Funds in transit live inside underlying bridge contracts (those are the risk; see above), not in an aggregator-owned account.

Custodial routing means an operator takes your funds first, then sends you the destination asset. Faster and sometimes cheaper, but introduces a counterparty: you're now trusting the operator's solvency and operational security in addition to the bridges.

AllSwap is non-custodial. Funds never sit in an AllSwap account.

How aggregation changes the picture

A single bridge concentrates risk: your full trade size sits in one contract for the in-flight window. An aggregator spreads the same trade across multiple smaller transfers — your $50K BTC → ETH order might go through three different bridges in parallel, so no single venue ever holds your full position. This doesn't make any individual bridge safer, but it cuts your exposure to any one bridge's failure mode.

Aggregators also let you pick venues by track record. AllSwap's routing engine excludes bridges with active vulnerabilities and weights routes by audit history. None of this is a guarantee — every cross-chain trade carries protocol risk you can't fully audit away — but it stacks the odds.

What AllSwap does to reduce risk

Routing is fully non-custodial — your funds are never in an AllSwap account. The deposit address is bound to your specific order; the routing engine has no authority to move funds anywhere except the path you confirmed when you accepted the quote.

If a route fails mid-flight (bridge stall, DEX liquidity dries up, partial fill), the source amount is auto-refunded to the origin address. You don't need to file a support ticket.

Bridges in the routing pool are filtered by audit history and operational record; we don't route through unaudited or recently-exploited contracts. The full pool is published in our security disclosure.

A 60-second pre-flight checklist

Right chain, right address: verify the first 4 and last 4 characters of both the deposit address and the destination address match what you intended. Address-swap malware is real.

Small test for large amounts: if you're moving more than your monthly rent, send 1-2% as a test first. The quote engine prices test trades fairly; you're not paying extra for the test.

Right wallet at destination: confirm the destination wallet can actually display the destination asset (some hardware wallets don't show certain tokens until you add them manually).

Source-chain finality: don't initiate cross-chain trades during known network instability (e.g. an Ethereum re-org window). The quote screen warns about this.

FAQ

Is non-custodial swapping safer than a centralized exchange?

It removes one risk (custodial counterparty) and adds another (wallet self-security). On the balance, non-custodial avoids exchange failure modes (insolvency, account freezes, KYC denial); but you carry the burden of keeping your wallet secure. There's no universal "safer" — they're different risk profiles.

Could AllSwap walk off with my funds?

Mechanically, no. Funds move directly from your wallet to a one-time deposit address that's bound to your specific order; AllSwap's routing engine has no permission to redirect them. The risk surface is the underlying bridge contracts, not AllSwap.

What if a bridge in my route gets exploited mid-trade?

If the exploit blocks settlement, the route engine attempts to reroute through alternative paths. If no path can complete, the source amount is refunded to the origin address. Direct exploit of in-flight funds (a bridge being drained while your transfer is mid-flight) is rare but theoretically possible — the same risk you carry with any cross-chain method.

Sources & references