Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Costs $4.67 Million
On June 19, blockchain infrastructure Axelar officially confirmed a hack of the cross-chain bridge connecting it to the Secret Network protocol. The attacker siphoned approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint." This attack went undetected for seven days, highlighting serious gaps in security monitoring at the intersection of the two networks.
An incident analysis conducted by the Common Prefix team (Axelar's primary developer) revealed that the bug was located in a modified CW20-ICS20 smart contract on the Secret Network side within the Cosmos IBC connection. The issue stemmed from a lack of verification of incoming transaction channels — the contract automatically created "wrapped" versions of assets (saToken) without verifying the source of deposits. The attacker exploited this by launching their own Cosmos chain with a single validator, from which they sent packets with fictitious denominations, minting tokens without real backing.
Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to block further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds. Importantly, the incident only affected specific tokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. Axelar's main protocol, other IBC connections, and Secret Network's native assets remained untouched.
The market reaction to the news was unexpected: the price of the Secret token (SCRT) surged nearly 6% immediately after the hack was disclosed, reaching $0.06. After a correction, the asset is trading around $0.058, still 3% above the previous close. The market capitalization stands at approximately $20 million. For context, SCRT's all-time high in October 2021 was $10.64, more than 99% above current levels. This suggests that either the market did not perceive the incident as a systemic threat, or speculators used the news for short-term gains.
Expert Commentary: This hack is a classic example of how the complexity of cross-chain interactions becomes a security weak point. The "infinite mint" vulnerability is not new, but its recurrence in modified contracts indicates that teams are not thoroughly testing IBC integrations. Investors should consider that such incidents can undermine trust in cross-chain bridges, putting downward pressure on related token values in the long term, despite short-term speculative spikes.