Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million

The blockchain project Axelar faced a serious security incident on June 19: an attacker exploited an "infinite mint" vulnerability in the bridge with the Secret Network protocol and withdrew approximately $4.67 million. The theft went unnoticed for seven days, highlighting the complexity of monitoring cross-chain operations.
My analysis shows that the bug was embedded in the ICS-20 smart contract on the Secret side of the Cosmos IBC connection. The algorithm created "wrapped" versions of assets (saToken) but did not verify which channel the incoming transaction came from. This allowed the attacker to falsify deposits and mint tokens without real backing. The operations required no permission, so they launched a chain with a single validator in Cosmos and relayed packets with fake asset denominations.
Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery. Importantly, the incident is limited to saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The core Axelar protocol, other IBC connections, and native assets of the Secret Network remain unaffected.
Despite the reported theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. Meanwhile, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes — demonstrating how deeply the market has already discounted risks.
This incident serves as another reminder that even mature cross-chain protocols are vulnerable to errors in contract logic. The market appears to have perceived the hack as an isolated case that does not threaten the fundamental security of the Secret Network, but for investors, it is a signal: trusting bridges without thorough audits is risky.