Axelar reveals Secret Network bridge exploit: "infinite minting" vulnerability cost $4.67 million
On June 19, blockchain infrastructure project Axelar officially confirmed a hack of its cross-chain bridge connecting the ecosystem with the Secret Network protocol. As a result of the attack, the attacker withdrew assets worth approximately $4.67 million, exploiting a critical vulnerability known as "infinite mint."
The incident went unnoticed for seven days, highlighting the complexity of monitoring cross-network transactions in modern L0 protocols. An analysis conducted by the Common Prefix team, the primary developer of Axelar, showed that the vulnerability was embedded in a modified CW20-ICS20 smart contract on the Secret Network side, used in the Cosmos IBC (Inter-Blockchain Communication) connection.
Attack Mechanism and Scale of Damage
The key issue was the lack of verification of the sender channel when processing incoming transactions. The contract algorithm created "wrapped" versions of assets (saToken) without verifying which channel the deposit came from. This allowed the attacker to deploy their own custom Cosmos chain with a single validator and send packets from it with arbitrary asset denominations, essentially minting tokens without real backing.
The exploit affected a specific pool of assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. It is important to note that the main Axelar protocol, other IBC connections, and native Secret Network assets (SCRT) remained untouched. The Axelar emergency committee promptly disconnected the Secret and Secret-SNIP connections to block further unauthorized transfers. The team is now coordinating with exchanges and law enforcement agencies to track and potentially recover the funds.
Market Reaction and Context
Despite the severity of the incident, the market reacted paradoxically. The price of the Secret token (SCRT) momentarily surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3% with a market capitalization of approximately $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This case serves as another reminder that even during a "bear" market, hackers do not let up, and vulnerabilities in cross-chain infrastructure remain one of the hottest targets for attacks.
My expert conclusion: This incident once again raises the issue of the need to implement formal verification of smart contracts and multi-level audit systems for IBC connections. Until the industry standardizes channel checks and implements zero-trust mechanisms at the bridge level, such attacks will continue, exploiting basic logical errors in contracts.