Crypto news

21.06.2026
13:05

Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss

хакеры hackers, перемещение средств 2

On June 19, 2026, the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting it to the Secret Network protocol. As a result of the incident, the attacker withdrew funds totaling approximately $4.67 million, exploiting a critical vulnerability known as the "infinite mint bug."

Attack Details: How It Happened

The theft went unnoticed for seven days, indicating insufficient responsiveness of the monitoring systems. An analysis conducted by the Common Prefix team—Axelar's primary developer—showed that the bug was embedded in the ICS-20 smart contract deployed on the Secret Network side as part of the IBC connection within the Cosmos ecosystem. This contract was responsible for creating "wrapped" versions of assets (saToken) but did not verify the legitimacy of the channel from which the incoming transaction originated.

The attacker exploited this flaw to falsify deposits. They launched their own chain within Cosmos with a single validator, from which they sent packets with fake asset denominations. Since operations on the network were permissionless, the contract automatically minted tokens without any real collateral.

Response and Scale of Damage

Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to block further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds and potentially recover them.

It is important to emphasize that the incident affected only the saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The core Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched. This indicates that the vulnerability was localized and related to the specific implementation of the contract.

Market Doesn't Panic: SCRT Shows Growth

Contrary to expectations, the news of the hack did not cause a crash in the Secret (SCRT) token. Instead, its price surged nearly 6% at the moment, reaching $0.06. After a slight correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization stands at approximately $20 million.

For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. Such a sharp decline from peak values makes the token highly speculative, and the current market reaction appears more like a bounce following the vulnerability's identification rather than a sign of restored confidence.

Recall that in June, hackers twice attacked outdated contracts in the L2 network Aztec, causing damages of $2.19 million and $2.15 million, respectively. These incidents highlight a systemic problem: even with modern security protocols, vulnerabilities in legacy code or unverified contracts remain the "Achilles' heel" of the DeFi ecosystem.

Expert Commentary from Cryptalist: This incident is yet another reminder that cross-chain bridges remain the primary target of attacks. The "infinite mint" vulnerability is a classic example of how a lack of input validation can lead to the complete compromise of a liquidity pool. Investors should pay attention to projects that implement real-time smart contract auditing and automatic mechanisms for blocking suspicious transactions. Without this, any integration between blockchains carries significant risk.