Axelar Bridge and Secret Network Hack: Infinite Mint Vulnerability Cost $4.67 Million

On June 19, the Axelar cross-chain protocol officially confirmed a hack of the cross-chain bridge connecting it to the Secret Network. The attacker managed to withdraw digital assets worth approximately $4.67 million. The incident, as it turned out, was made possible by a critical vulnerability known as "infinite mint."
According to an analysis conducted by the Common Prefix development team, the breach was discovered in the ICS-20 smart contract, modified to operate on the Secret Network side within the Cosmos IBC connection. The problem was the lack of verification of the channel from which incoming transactions originated. This allowed the attacker to manipulate the algorithm for creating "wrapped" versions of assets (saToken), faking deposits and issuing tokens without any real backing.
To execute the attack, the attacker deployed their own chain with a single validator in the Cosmos ecosystem. From this controlled network, they sent packets with fictitious asset denominations, which the bridge accepted as legitimate. Notably, the theft went unnoticed for seven days.
Response and Damage Control
After the incident was discovered, the Axelar emergency committee promptly disabled the Secret and Secret-SNIP connections, preventing further unauthorized transfers. The project team is currently coordinating with exchanges and law enforcement agencies to track the movement of stolen funds and explore possible recovery.
It is important to emphasize that the attack affected only a limited pool of assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and the native assets of the Secret Network itself remained untouched.
Market Reaction
Despite the alarming news, the market reacted unexpectedly. The price of the Secret Network native token (SCRT) briefly rose nearly 6%, reaching $0.06. After a slight correction, the asset is trading around $0.058, showing a daily increase of about 3%. The market capitalization stands at approximately $20 million. For context, SCRT's all-time high was recorded in October 2021 at $10.64, representing a decline of over 99.5% from peak levels.
This incident once again underscores the critical importance of auditing cross-chain interaction logic. "Infinite mint" class vulnerabilities in bridges remain one of the most dangerous threats to DeFi, and this attack serves as a reminder that even mature projects must prioritize verifying the authenticity of incoming data rather than simply trusting the transmission channel.