Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Costs $4.67 Million

On June 19, the blockchain project Axelar officially confirmed a hack of its cross-chain bridge connecting it to the Secret Network protocol. As a result of the attack, the attacker withdrew approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint."
Notably, the theft went undetected for seven days, indicating insufficient effectiveness of real-time monitoring systems. During the analysis, Axelar's lead developer, the Common Prefix team, determined that the bug was embedded in the ICS-20 smart contract on the Secret side within the Cosmos IBC connection. The issue was that the algorithm created "wrapped" versions of assets (saToken) but did not verify which specific channel the incoming transaction originated from. This allowed the attacker to falsify deposits and mint tokens without any real backing.
Since the operations required no permission, the attacker launched their own chain with a single validator within Cosmos, from which they sent packets with fake asset denominations. This is a classic example of an attack on cross-chain bridges, where a lack of channel verification leads to unlimited issuance.
In response to the incident, the Axelar emergency committee immediately disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is now coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery. It is important to emphasize that the incident is limited to the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network remain unaffected.
Despite the shocking news of the theft, the market reacted paradoxically: the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. However, it is worth noting that at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% higher than current quotes. This indicates a deep bearish trend that even news of the hack could not reverse.
This incident recalls recent attacks on outdated contracts in the L2 network Aztec, where hackers withdrew $2.19 million and $2.15 million over several days. The cross-chain bridge market remains one of the most vulnerable points in the DeFi ecosystem.
Expert commentary: This hack is further proof that the architecture of cross-chain bridges requires a fundamental overhaul. The "infinite mint" vulnerability is not a random error but a systemic issue related to insufficient validation of cross-chain messages. Until projects implement multi-level checks and decentralized oracles for asset verification, such attacks will continue. The market should be prepared for further losses if preventive measures are not taken.