Axelar and Secret Network Bridge Exploit: Hacker Steals $4.67 Million via 'Infinite Minting'
On June 19, blockchain infrastructure Axelar confirmed a serious security incident involving a bridge connecting the network to the Secret Network protocol. As a result of the attack, the attacker managed to withdraw digital assets worth approximately $4.67 million. As my analysis showed, the hack was based on a classic but dangerous vulnerability known as "infinite mint."
According to the results of an investigation conducted by Axelar's core development team, Common Prefix, the vulnerability was found in a modified CW20-ICS20 smart contract responsible for processing tokens on the Secret Network side within the IBC connection to Cosmos. The critical error was that the contract did not verify which specific channel an incoming transaction originated from. The algorithm created "wrapped" versions of assets (saToken) but did not verify the legitimacy of the deposit source.
This allowed the attacker to fabricate deposits and begin minting tokens without real backing. Since operations on the Cosmos network do not require permission, the hacker launched their own sidechain with a single validator, from which they sent fake packets with arbitrary asset denominations. Notably, the theft went unnoticed for seven full days, highlighting shortcomings in monitoring systems.
After the incident was discovered, the Axelar Emergency Committee promptly disconnected the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is currently coordinating efforts with exchanges and law enforcement agencies to track the stolen funds and potentially recover them.
It is important to emphasize that the attack affected a strictly limited list of tokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets (SCRT) remained untouched. Despite the news of the hack, the market reacted paradoxically: the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization stands at approximately $20 million.
For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This incident echoes recent attacks on outdated contracts in the L2 network Aztec, where damage from two hacks in June amounted to $2.19 million and $2.15 million, respectively.
My expert commentary: This case is yet another stark reminder that the security of cross-chain bridges remains the "Achilles' heel" of the entire industry. The "infinite mint" vulnerability in modified contracts is not new technology but a trivial error in the logic of incoming data verification. The fact that the attack went unnoticed for a week raises serious questions about the quality of audits and monitoring procedures within the ecosystem. Investors should be extremely cautious about assets that have passed through bridges, especially during periods of volatility, and remember that even respected protocols are not immune to such incidents.