Axelar suffered a bridge exploit with Secret Network: $4.67 million loss due to an "infinite minting" error

On June 19, the team of the blockchain project Axelar confirmed the hack of the cross-chain bridge connecting their protocol with Secret Network. The attacker managed to withdraw approximately $4.67 million by exploiting a vulnerability known as an "infinite mint bug." This attack went unnoticed for seven days — a significant period for such incidents, indicating a high level of sophistication on the part of the attacker.
Technical Details and Attack Vector
As determined by specialists from the Common Prefix team, the lead developer of Axelar, the root of the problem lay in a modified ICS-20 smart contract on the Secret Network side, used in the IBC connection of the Cosmos ecosystem. The contract, responsible for creating "wrapped" versions of assets (saToken), simply did not verify which channel the incoming transaction originated from. This flaw allowed the attacker to fabricate deposits and mint tokens without any real collateral. The operation required no permission — the hacker launched their own chain within Cosmos with a single validator, from which they sent packets with fake asset denominations.
Response and Incident Scale
In response to the threat, the Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections to block further unauthorized transfers. Currently, the team is coordinating with exchanges and law enforcement agencies to track the stolen funds and facilitate their recovery. It is important to emphasize that the incident affected only the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of Secret Network were not compromised.
Market Reaction
Despite such a high-profile event, the price of the native token of Secret Network (SCRT) showed unexpected volatility. At one point, quotes jumped nearly 6%, reaching the $0.06 mark. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization of SCRT stands at approximately $20 million. For context, the all-time high was recorded in October 2021 at $10.64, which is almost 99.5% above current levels.
Expert Commentary: This incident once again underscores the critical importance of smart contract auditing in cross-chain solutions. The "infinite mint" vulnerability is a classic, but as we see, still effective problem for bridges. The fact that the attack went unnoticed for a week points to the need for implementing more advanced on-chain activity monitoring systems. Investors should remember: as long as bridges remain the most vulnerable point in DeFi, the risk of losing funds persists even for seemingly well-protected protocols.