Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss
On June 19, the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting its network to the Secret Network protocol. The attacker managed to withdraw approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint."
As shown by an analysis conducted by Axelar's lead developer team, Common Prefix, the bug was discovered in the ICS-20 smart contract on the Secret Network side, operating via an IBC connection in the Cosmos ecosystem. The issue was that the algorithm creating "wrapped" versions of assets (saToken) did not verify which specific channel the incoming transaction originated from. This allowed the attacker to fake deposits and mint tokens without real backing.
Since the operations did not require permission, the attacker launched their own chain with a single validator in Cosmos. Through it, they sent packets with fictitious asset denominations, effectively "printing" funds out of thin air. Notably, the theft went unnoticed for seven days, indicating an insufficient level of monitoring by the teams.
Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to stop further unauthorized transfers. The team is now coordinating with exchanges and law enforcement agencies to track the stolen funds and potentially recover them.
It is important to emphasize that the incident is limited to specific coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. Axelar's main protocol, other IBC connections, and Secret Network's native assets were not affected. Nevertheless, this is another alarming signal for the industry: vulnerabilities in cross-chain bridges remain one of the main security threats.
Despite the negative news, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization is approximately $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. Such a sharp decline from peak levels is a characteristic sign of lost investor confidence and reduced network activity.
Expert opinion: Such attacks on bridges continue to demonstrate systemic risks associated with insufficient verification of cross-network transactions. The incident with Axelar and Secret Network is not an isolated case. Earlier in June, hackers twice attacked outdated contracts in the L2 network Aztec, causing damages of $2.19 million and $2.15 million. The industry urgently needs to implement stricter audits and real-time mechanisms for detecting anomalies; otherwise, such losses will become the new norm.