Crypto news

21.06.2026
16:41

Vulnerability of "infinite minting": hack of the Axelar and Secret Network bridge for $4.67 million

hackers, moving funds 2

On June 19, the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting its infrastructure with the Secret Network protocol. The attacker managed to withdraw funds totaling approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint."

An analysis of the incident conducted by the Common Prefix team, Axelar's lead developer, showed that the breach was found in the ICS-20 smart contract on the Secret Network side within the IBC connection of the Cosmos ecosystem. This contract was responsible for creating "wrapped" versions of assets (saToken) but did not verify which channel the incoming transaction originated from. This error allowed the attacker to falsify deposits and issue tokens without any real collateral.

The theft went unnoticed for seven days. During this time, the hacker launched their own chain in Cosmos with a single validator, from which they sent packets with fake asset denominations, exploiting the lack of permissions on operations.

Axelar's Emergency Committee immediately disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds and potentially recover them. It is important to note that the incident affected only the saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The main Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched.

Despite such a serious incident, the market reacted ambiguously. The price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization is approximately $20 million. At its all-time high in October 2021, SCRT was worth $10.64 — current quotes are 99.5% lower.

Expert Commentary: This hack is a classic example of how even in mature ecosystems like Cosmos, basic errors in smart contract logic can lead to million-dollar losses. The lack of verification of the incoming transaction channel is a bug that should have been identified during the audit stage. For the community, this is another signal that the security of cross-chain bridges remains one of the most vulnerable points in DeFi, and investors should consider these risks when evaluating assets.