A vulnerability known as "infinite mint" in the Axelar and Secret Network bridge has resulted in a loss of $4.67 million and a market reaction.
On June 19, the team behind the blockchain project Axelar disclosed an incident involving the exploitation of the bridge between Axelar and the Secret Network protocol. As a result of the attack, the attacker withdrew assets worth approximately $4.67 million, exploiting a critical vulnerability known as "infinite mint."
According to an analysis conducted by Axelar's lead developer, Common Prefix, the bug was found in the ICS-20 smart contract on the Secret Network side within the IBC connection of the Cosmos ecosystem. The algorithm, designed to create "wrapped" versions of assets (saToken), did not verify which channel the incoming transaction came from. This allowed the attacker to falsify deposits and mint tokens without real backing.
The attacker launched their own chain with a single validator in Cosmos, from which they sent packets with fake asset denominations. The theft went unnoticed for seven days, highlighting the difficulty of detecting such vulnerabilities in cross-chain infrastructure.
Scale and Response
The incident exclusively affected the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of Secret Network were not compromised. The Axelar Emergency Committee promptly disconnected the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery.
Despite the report of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. Meanwhile, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes.
Analytical Commentary
This incident underscores a fundamental security issue in cross-chain bridges, particularly those using complex contracts with modified protocols. The "infinite mint" vulnerability is a classic example of how insufficient validation of incoming data can lead to unlimited asset issuance. The market, however, reacted unexpectedly: the short-term rise in SCRT suggests that investors may perceive such attacks as temporary glitches rather than systemic threats. In the long term, such events inevitably undermine trust in decentralized financial bridges, requiring developers to implement stricter audit and monitoring measures.