Crypto news

21.06.2026
21:47

Critical "Infinite Mint" Vulnerability: $4.67 Million Hack of the Axelar and Secret Network Bridge

хакеры hackers, перемещение средств 2

On June 19, 2026, the team behind the Axelar cross-chain protocol officially confirmed the exploitation of a critical vulnerability in the bridge connecting their infrastructure to the Secret Network. The attacker managed to withdraw digital assets worth approximately $4.67 million, using a classic attack vector — the "infinite mint bug." Notably, the incident went unnoticed for seven days, indicating serious gaps in monitoring systems.

How the Attack Was Executed

My analysis of the situation, based on data from Axelar's lead developer — the Common Prefix team, shows that the bug was localized in the ICS-20 smart contract on the Secret Network side. This contract was responsible for creating "wrapped" versions of assets (saToken) within the Cosmos IBC ecosystem. The critical error lay in the lack of validation of the channel from which the incoming transaction originated. Instead of verifying the legitimacy of the source, the contract blindly trusted any data packet.

Exploiting this, the attacker launched their own Cosmos chain with a single validator. Through this channel, they sent fake packets with arbitrary asset denominations, allowing them to mint tokens unlimitedly without any real backing. Essentially, this was a classic case of manipulating the consensus mechanism at the application level.

Scale of Damage and Response

The Axelar Emergency Committee responded promptly by disabling the Secret and Secret-SNIP connections to prevent further leaks. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds. It is important to emphasize that, according to the statement, the incident is limited to specific coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets were not affected.

Interestingly, the news of the hack did not trigger panic selling. On the contrary, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. However, one should not be deceived: at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This indicates a deep bearish trend that no hack can reverse.

My Expert Perspective

This incident is yet another reminder of the fragility of cross-chain bridges, especially those using modified versions of standard contracts. The lack of channel validation for incoming transactions is a basic error that should not have passed an audit. The market seems to have grown accustomed to such hacks, which explains the absence of a significant drop in SCRT. However, for investors, this is a warning sign: if the team cannot ensure the security of the basic connection, trust in the network will be undermined in the long term, despite short-term growth.