Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Costs $4.67 Million
On June 19, the team behind the blockchain project Axelar revealed details of a hack on the cross-chain bridge connecting their network to the Secret Network protocol. The attacker exploited a critical vulnerability known as "infinite mint" and withdrew digital assets worth approximately $4.67 million. Notably, the theft went undetected for seven days, indicating insufficient monitoring system responsiveness within the Secret chain.
According to an analysis conducted by Axelar's lead developer team, Common Prefix, the bug was found in the ICS-20 smart contract deployed on the Secret Network side as part of the Cosmos IBC connection. The algorithm is designed to create "wrapped" versions of assets (saToken), but it did not verify which specific channel an incoming transaction originated from. This allowed the attacker to falsify deposits and mint tokens without real collateral. Since the operations required no permission, the hacker launched their own chain within Cosmos with a single validator, from which they sent packets containing fictitious asset denominations.
Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt any new unauthorized transfers. The team is already coordinating with exchanges and law enforcement agencies to track the funds and potentially recover them. It is important to emphasize that the incident only affected the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network were not compromised.
Despite the report of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. Meanwhile, at its all-time high in October 2021, SCRT was worth $10.64 — 99.5% above current levels. This market reaction to the hack appears paradoxical but may be linked to expectations of compensation or temporary hype surrounding the news.
My expert commentary: This incident serves as yet another reminder that "infinite mint" vulnerabilities remain one of the most dangerous threats to cross-chain bridges. The lack of verification of the source of incoming transactions in ICS-20 contracts is a fundamental design flaw that could have been identified during the audit phase. For investors, this is a signal: even major projects with strong teams are not immune to such attacks, and risk diversification is not just a recommendation but a necessity.