The "infinite mint" vulnerability in the Axelar bridge cost the project $4.67 million — how a hacker deceived Secret Network
On June 19, the cross-chain protocol Axelar confirmed a hack of the bridge connecting its network to the privacy platform Secret Network. The attacker withdrew digital assets worth approximately $4.67 million by exploiting a vulnerability known as an "infinite mint bug."
The incident went unnoticed for seven days — an alarming signal for the entire ecosystem of cross-chain bridges, which continue to be one of the weakest points in DeFi infrastructure.
Axelar's lead developer, the Common Prefix team, conducted a detailed analysis and determined that the bug was embedded in the ICS-20 smart contract on the Secret Network side, used in the IBC (Inter-Blockchain Communication) connection of the Cosmos ecosystem. The problem was that the contract, which creates "wrapped" versions of assets (saToken), did not verify which channel the incoming transaction came from. This allowed the attacker to fake deposits and mint tokens without real backing.
The attacker launched their own chain in Cosmos with a single validator and used it to send packets with fictitious asset denominations. Since no permission was required for such operations, they were able to generate tokens indefinitely until they drained the bridge's liquidity pool.
Axelar's Emergency Committee immediately disabled the Secret and Secret-SNIP connections to block further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds. It is important to emphasize that the incident only affected the saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The main Axelar protocol, other IBC connections, and native assets of Secret Network remained untouched.
The market reacted to the news with surprising optimism: the price of the Secret token (SCRT) briefly jumped nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, showing a daily increase of about 3%. The market capitalization is approximately $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64 — meaning current quotes are 99.5% below peak values.
My analysis: This case is yet another reminder that cross-chain bridges remain the "Achilles' heel" of DeFi. The "infinite mint" vulnerability is a classic but still effective attack vector that exploits insufficient validation of incoming data. The Axelar team acted promptly, but the very fact of a seven-day detection delay indicates the need for stricter monitoring procedures. The paradoxical rise in SCRT amid the hack is likely due to investors viewing the news as "removing uncertainty," but the fundamental risks for such projects remain high.