Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss

On June 19, the blockchain infrastructure project Axelar disclosed a hack of its cross-chain bridge with the Secret Network protocol. The attacker managed to withdraw approximately $4.67 million by exploiting a critical vulnerability in a smart contract.
According to an analysis conducted by the Common Prefix team, the main developer of Axelar, the bug was found in a modified CW20-ICS20 contract on the Secret Network side within an IBC connection in the Cosmos ecosystem. The issue was that the algorithm created "wrapped" versions of assets (saToken) but did not verify which channel the incoming transaction originated from. This allowed the attacker to fake deposits and mint tokens without real backing.
Since the operations did not require permission, the attacker launched a chain in Cosmos with a single validator, from which they sent packets with fake asset denominations. The theft went unnoticed for seven days.
Consequences and Response
The Axelar Emergency Committee immediately disconnected the Secret and Secret-SNIP connections to halt any new unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery.
The incident is limited to the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network are unaffected.
Market and SCRT Price
Despite the report of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at ~$20 million. Meanwhile, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes.
Expert Opinion: This incident is yet another alarming signal for the entire cross-chain bridge ecosystem. Vulnerabilities like "infinite mint" are becoming classic, but developers still fail to pay adequate attention to input validation. The market, as usual, reacted paradoxically: the rise in SCRT amid the hack suggests that investors either do not understand the risks or believe the damage is already contained. However, the fundamental security of the protocols remains in question.