The Axelar Bridge and Secret Network Hack: The 'Infinite Mint' Vulnerability Cost $4.67 Million

On June 19, the blockchain project Axelar officially confirmed the hack of the bridge connecting its network with the Secret Network protocol. The attacker managed to withdraw approximately $4.67 million by exploiting a critical vulnerability known as an "infinite mint bug." Notably, the theft went unnoticed for a full seven days.
How was the hack carried out?
According to an analysis conducted by Common Prefix, the primary developer of Axelar, the breach was found in the ICS-20 smart contract on the Secret side, which facilitates the IBC connection within the Cosmos ecosystem. The contract created "wrapped" versions of assets (saToken) but did not verify which channel the incoming transaction originated from. This flaw allowed the attacker to fabricate deposits and mint tokens without any real collateral. Since the operations required no permission, the attacker launched their own chain within the Cosmos network with a single validator, from which they sent packets with fake asset denominations.
Reaction and consequences
Axelar's Emergency Committee immediately disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds and facilitate their recovery. It is important to emphasize that the incident only affected the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of Secret Network remained untouched.
Market does not panic
Despite the severity of the incident, the market reaction was unexpected. The price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a slight correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization stands at approximately $20 million. It is worth noting that this is a drop in the ocean compared to SCRT's all-time high in October 2021, when the token was worth $10.64 — that is, 99.5% above current quotes.
Expert commentary: This incident is yet another reminder that the security of cross-chain bridges remains one of the weakest points in DeFi. The "infinite mint" vulnerability is a classic bug that should have been identified during the audit phase. The fact that the theft went unnoticed for a week indicates an insufficient level of on-chain activity monitoring. Despite the temporary rise in SCRT, long-term trust in the project may be shaken if the team does not demonstrate transparency in the investigation and implement more robust protection mechanisms.