Crypto news

22.06.2026
00:32

Exploit of the Axelar and Secret Network bridge: "infinite mint" vulnerability leads to $4.67 million loss

хакеры hackers, перемещение средств 2

On June 19, the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting its network to the Secret Network protocol. As a result of the attack, the attacker withdrew approximately $4.67 million by exploiting a critical vulnerability known as the "infinite mint bug." Notably, the theft went unnoticed for seven days, indicating insufficient responsiveness in monitoring systems.

Exploit Details: How the Attack Was Executed

According to an analysis conducted by the team of Axelar's lead developer, Common Prefix, the vulnerability was found in the ICS-20 smart contract, modified for operation on the Secret Network side within an IBC connection to the Cosmos ecosystem. The contract was responsible for creating "wrapped" versions of Axelar assets (saToken-type tokens). However, the key flaw was the lack of verification of the channel from which the incoming transaction originated. This allowed the attacker to fabricate deposit data and mint unbacked tokens without any real collateral.

Since the protocol did not require permission to perform such operations, the attacker launched their own custom chain in Cosmos with a single validator. From this controlled network, they sent packets with fictitious asset denominations, which the contract on Secret accepted as legitimate, thereby "printing" millions of dollars in wrapped tokens.

Reaction and Consequences

Axelar's Emergency Committee immediately disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. Currently, the team is coordinating with centralized exchanges and law enforcement agencies to track the stolen funds and potentially recover them.

It is important to emphasize that the incident affected only a limited pool of assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets (SCRT) remained untouched. Despite this, the market reacted paradoxically: the price of the SCRT token briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization is approximately $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current levels.

My Expert Commentary: This incident is a classic example of how even in mature ecosystems like Cosmos IBC, a simple logical error in a contract can lead to multi-million dollar losses. The lack of sender channel verification is a fundamental oversight that should have been identified during the audit phase. The market, in turn, shows surprising resilience: the rise in SCRT amid the hack suggests that investors view this case as an isolated failure that does not undermine trust in the Secret Network protocol itself. However, for Axelar, this is a serious reputational blow that will require strengthening the security of all bridge connections.