Hack of Axelar Bridge and Secret Network: $4.67 million attack via "infinite minting"
On June 19, the team behind the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting its infrastructure to the Secret Network protocol. As a result of the attack, the perpetrator withdrew approximately $4.67 million by exploiting a critical vulnerability known as an "infinite mint bug."
Notably, the theft went undetected for a full seven days. This indicates a lack of effectiveness in monitoring and incident response systems within the Secret Network ecosystem, serving as a serious warning for the entire DeFi sector.
Technical Details of the Attack
According to an analysis conducted by Axelar's lead developer, the Common Prefix team, the vulnerability was discovered in the ICS-20 smart contract on the Secret Network side within the Cosmos IBC connection. The issue was that the algorithm creating "wrapped" versions of assets (saToken) did not verify which specific channel an incoming transaction originated from. This allowed the attacker to fabricate deposits and mint tokens without real backing.
Since the operations did not require permission, the attacker launched their own chain with a single validator on the Cosmos network. From this chain, they sent packets with fake asset denominations, leading to an unlimited issuance of funds.
Consequences and Response
Axelar's emergency committee promptly disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The project team is actively coordinating with exchanges and law enforcement agencies to track the stolen funds and explore potential recovery options.
It is important to emphasize that the incident only affected specific coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The core Axelar protocol, other IBC connections, and native Secret Network assets were not impacted.
Market Reaction
Despite the alarming news, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of approximately 3%. The project's market capitalization stands at roughly $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current levels.
Expert Opinion. This incident serves as another reminder that even in mature ecosystems like Cosmos IBC, vulnerabilities at the smart contract level can lead to catastrophic consequences. However, the market shows surprising resilience: the rise in SCRT amid news of the hack suggests that investors may already be pricing in expectations of compensation or a swift recovery. Nevertheless, for long-term security, projects need to implement stricter audits and real-time monitoring systems.