Critical "Infinite Mint" Vulnerability in Axelar and Secret Network Bridge: Theft of $4.67 Million

On June 19, the blockchain infrastructure project Axelar officially confirmed a hack of the cross-chain bridge connecting its network to the Secret Network protocol. As a result of the attack, the attacker managed to withdraw digital assets worth approximately $4.67 million. The key cause of the incident was the exploitation of a vulnerability known as the "infinite mint bug."
Technical Details of the Attack
As established by the Common Prefix development team, the bug was found in a modified version of the CW20-ICS20 smart contract deployed on the Secret Network side as part of an IBC connection with the Cosmos ecosystem. The problem lay in the lack of verification of the channel from which incoming transactions originated. The contract algorithm automatically created "wrapped" versions of assets (saToken) without verifying the legitimacy of the deposit. This allowed the attacker to fabricate deposits and mint tokens unlimitedly without any real backing.
Notably, the attacker did not require permission to initiate operations. They simply deployed their own chain with a single validator in Cosmos, from which they sent packets with fictitious asset denominations. The theft went unnoticed for seven days — a troubling sign of shortcomings in on-chain activity monitoring.
Scale and Response
The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is currently coordinating with cryptocurrency exchanges and law enforcement agencies to track and potentially recover the stolen funds. It is important to emphasize that the incident affected only the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network were not compromised.
Market Reaction and Context
Despite such a serious event, the market reacted unexpectedly positively. The price of the native Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The current market capitalization is approximately $20 million. However, it is worth recalling that at its all-time high in October 2021, SCRT was worth $10.64 — a decline of 99.5% from peak values, highlighting a deep bearish trend for this asset.
My expert analysis: This incident is yet another reminder that vulnerabilities in bridge smart contracts remain one of the most dangerous threats in DeFi. The lack of basic channel verification in the ICS-20 contract is a gross architectural error that should not have passed an audit. The rise in SCRT price amid the hack likely reflects short-term speculative short covering rather than a genuine restoration of trust in the project. Investors should be extremely cautious with assets whose value has fallen 99% from all-time highs, as the risks of further devaluation and technical issues remain high.