Crypto news

21.06.2026
21:27

Axelar Bridge and Secret Network Hack: $4.67 Million 'Infinite Mint' Vulnerability

On June 19, the blockchain project Axelar officially confirmed a hack of the bridge connecting it to the Secret Network protocol. As a result of the attack, the attacker withdrew approximately $4.67 million by exploiting a critical vulnerability known as the "infinite-mint bug."

As the results of my analysis show, the incident went unnoticed for seven days. Axelar's lead developer, the Common Prefix team, identified that the bug was embedded in the ICS-20 smart contract on the Secret Network side, used in the IBC connection of the Cosmos ecosystem. The problem was that the algorithm created "wrapped" versions of assets (saToken) but did not verify which specific channel the incoming transaction originated from. This allowed the attacker to fake deposits and mint tokens without real backing.

Since operations on the Cosmos network did not require permissions, the attacker launched their own chain with a single validator. From there, they sent packets with fake asset denominations, leading to unauthorized minting. In response, the Axelar emergency committee promptly disconnected the Secret and Secret-SNIP connections to prevent further transfers. The team is now coordinating with exchanges and law enforcement agencies to track the stolen funds and facilitate their recovery.

It is important to emphasize that the incident only affected specific assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets remained untouched. This indicates the localized nature of the attack but does not diminish the severity of the vulnerability in the cross-chain infrastructure.

Despite the shocking news, the market reacted paradoxically. The price of the Secret token (SCRT) at the time of publication surged nearly 6%, reaching $0.06. After a slight correction, the asset is trading around $0.058, maintaining a daily gain of approximately 3%. The market capitalization stands at about $20 million. For comparison, at its all-time high in October 2021, SCRT was worth $10.64 — 99.5% above current quotes. This dynamic suggests that the market may be pricing in the team's rapid response rather than the hack itself.

Cryptalist Expert Opinion: This incident is yet another reminder that cross-chain bridges remain the most vulnerable point in DeFi. The "infinite-mint" vulnerability is a classic error related to insufficient channel validation in IBC protocols. Until teams implement stricter verification mechanisms at the contract level, such attacks will recur. Investors should be more cautious with assets passing through such bridges, especially during periods of high volatility.