Exploitation of the "Infinite Mint": Axelar loses $4.67 million in a bridge hack with Secret Network

On June 19, the blockchain infrastructure project Axelar confirmed the exploitation of a critical vulnerability in the bridge connecting its network with the Secret Network privacy protocol. As a result of the incident, an attacker withdrew assets worth approximately $4.67 million using a so-called "infinite-mint bug."
According to Axelar's lead developer, the Common Prefix team, the vulnerability was discovered in the ICS-20 smart contract on the Secret Network side, within the IBC connection to the Cosmos ecosystem. The contract, designed to create "wrapped" versions of assets (saToken), did not verify the origin channel of the incoming transaction. This error allowed the attacker to falsify deposits and mint tokens without any real collateral.
A key feature of the attack was that it required no additional permissions. The attacker launched their own chain in Cosmos with a single validator and then began sending IBC packets with fake asset denominations. The theft went unnoticed for seven days.
In response to the incident, the Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds and explore their possible recovery.
It is important to emphasize that the attack was strictly limited. Only the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH were affected. The main Axelar protocol, other IBC connections, and native Secret Network assets (SCRT) were not impacted. Interestingly, the market reacted to the news in a paradoxical way: the price of the SCRT token surged nearly 6% to $0.06, before correcting to ~$0.058, maintaining a daily gain of about 3%.
Analytical commentary: This incident is a classic example of how even established cross-chain solutions can suffer from fundamental errors in contract logic. The lack of validation of the incoming transaction channel is a gross mistake that completely undermines trust in the bridge. The paradoxical market reaction to the rise in SCRT is likely related to short covering or speculative expectations of token buybacks, but fundamentally, this does not change the severity of the infrastructure vulnerability.