The "infinite mint" vulnerability in the Axelar and Secret Network bridge led to a loss of $4.67 million — incident analysis

On June 19, as an analyst at Cryptalist, I recorded the disclosure of a serious security incident affecting the cross-chain bridge between the Axelar and Secret Network protocols. The attacker managed to withdraw approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint."
According to data provided by the Common Prefix team, the main developer of Axelar, the bug was discovered in the ICS-20 smart contract deployed on the Secret Network side as part of the IBC (Inter-Blockchain Communication) connection of the Cosmos ecosystem. This contract was responsible for creating "wrapped" versions of assets (saToken), such as saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. However, its logic lacked a critical check of the source of the incoming transaction — the contract did not verify which specific channel the data was coming from.
How the Attack Was Executed
This vulnerability allowed the attacker to fake deposits. Since operations in the Cosmos network did not require permission, the attacker launched their own blockchain with a single validator. From this controlled chain, they sent packets with fictitious asset amounts, which the ICS-20 contract on Secret Network accepted as legitimate and issued unbacked tokens. The theft went unnoticed for seven days.
Reaction and Consequences
The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to stop further unauthorized transfers. The teams are coordinating with exchanges and law enforcement agencies to track and potentially recover the funds. It is important to emphasize that the incident is limited to the specified wrapped assets. The main Axelar protocol, other IBC connections, and native Secret Network assets (SCRT) were not affected.
Despite the shocking news, the market reacted paradoxically. The price of the Secret token (SCRT) momentarily surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily increase of about 3%. The market capitalization is approximately $20 million. It is worth recalling that at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% higher than current quotes.
My Expert Commentary: This incident is yet another painful reminder that the complexity of cross-chain interactions often becomes the Achilles' heel of DeFi. The "infinite mint" vulnerability is a classic error in contracts where the data source is not verified. Although the teams' response was swift, the fact that the theft went unnoticed for an entire week highlights the need for implementing more advanced monitoring and real-time auditing systems. For investors, this is a signal to exercise increased caution when dealing with any new or complex bridge solutions.