Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss

On June 19, the blockchain project Axelar officially confirmed the hack of the cross-chain bridge connecting it to the Secret Network protocol. The attacker managed to withdraw assets worth approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint."
As analysis conducted by the Common Prefix team showed, the bug was discovered in the ICS-20 smart contract deployed on the Secret Network side as part of the Cosmos IBC connection. This contract was responsible for creating "wrapped" versions of assets (saToken), but did not verify the channel from which the incoming transaction originated. This allowed the attacker to fake deposits and mint tokens without real backing.
The attacker launched their own Cosmos chain with a single validator, from which they sent packets with fake asset denominations. The operations required no permission, making the attack simple to execute. The theft went unnoticed for seven days.
The Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and potentially recover them.
The incident only affected the saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The main Axelar protocol, other IBC connections, and native Secret Network assets were not impacted.
Despite the news of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. Meanwhile, SCRT's all-time high in October 2021 was $10.64, which is 99.5% above current quotes.
Expert comment: The attack on the Axelar bridge is another reminder that even in mature ecosystems like Cosmos, critical bugs in smart contracts can remain. The "infinite mint" type vulnerability is a classic error that developers should identify during the audit stage. The fact that the theft went unnoticed for a week points to insufficient monitoring of on-chain activity. Investors should pay attention to projects that implement automated anomaly detection systems.