The "infinite mint" vulnerability in the Axelar and Secret Network bridge led to a loss of $4.67 million.
On June 19, I recorded the disclosure of an incident in the Axelar cross-chain infrastructure related to the bridge to the Secret Network protocol. The attack, based on exploiting an "infinite mint" vulnerability, allowed the attacker to withdraw approximately $4.67 million. Notably, the theft went unnoticed for seven days, indicating a deep level of exploitation.
During the analysis conducted by the Common Prefix team, it was found that the bug was embedded in the ICS-20 smart contract on the Secret Network side, operating in the Cosmos ecosystem via an IBC connection. The problem was the lack of verification of the channel from which the incoming transaction originated. This allowed the attacker to falsify deposits and issue "wrapped" versions of assets (saToken) without real backing.
The attacker went further: he launched his own chain in Cosmos with a single validator, from which he sent packets with fake asset denominations. Since the operations did not require permission, the process was fully automated. The Axelar Emergency Committee immediately disconnected the Secret and Secret-SNIP connections to stop further unauthorized transfers. The team is now coordinating with exchanges and law enforcement agencies to track and recover the funds.
It is important to emphasize that the incident only affected specific assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched. This indicates the targeted nature of the attack, rather than a systemic vulnerability.
Despite the negative news, the price of the Secret token (SCRT) showed a short-term increase of nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization is approximately $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This indicates long-term pressure on the asset, despite the temporary spike.
My expert assessment: This incident is another alarming signal for the entire cross-chain bridge industry. "Infinite mint" type vulnerabilities continue to plague projects, despite numerous previous attacks. Investors should more carefully evaluate the security of bridges, especially those using custom contracts. While the Axelar team is responding promptly, trust in such solutions has been undermined. We await further steps to strengthen audits and implement mechanisms to prevent such attacks in the future.