Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million
On June 19, as a crypto market analyst, I recorded a serious incident in the cross-chain interaction ecosystem. The blockchain project Axelar disclosed a hack of the bridge connecting it to the Secret Network protocol. The attacker, exploiting a vulnerability of the "infinite mint" type, managed to withdraw funds totaling approximately $4.67 million.
The theft went unnoticed for seven days, indicating the complexity and stealthiness of the attack. During the analysis of the incident, conducted jointly with the Common Prefix team, it was determined that the bug was contained in the ICS-20 smart contract on the Secret Network side within the Cosmos IBC connection. The problem was the lack of verification of the channel from which the incoming transaction originated. This allowed the attacker to create "wrapped" versions of assets (saToken) without real backing, by falsifying deposits.
Since the protocol did not require permission for such operations, the attacker launched their own Cosmos chain with a single validator. From this chain, they sent packets with fictitious asset denominations, thereby minting unbacked tokens. In response, the Axelar Emergency Committee promptly disconnected the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is now coordinating with exchanges and law enforcement agencies to track and recover the stolen funds.
It is important to emphasize that the incident exclusively affected the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched. Despite the seriousness of the situation, the market reacted ambiguously: the price of the Secret token (SCRT) momentarily surged nearly 6%, reaching $0.06, before correcting to $0.058, maintaining a daily increase of about 3%. The project's market capitalization is approximately $20 million.
For context: at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This incident serves as a reminder of the risks associated with outdated contracts: earlier in June, hackers attacked the L2 network Aztec twice, causing damages of $2.19 million and $2.15 million.
Expert opinion: This hack is a classic example of how even a small error in channel verification logic can lead to catastrophic consequences. The market, however, demonstrates surprising resilience: the rise in SCRT amid news of the theft suggests that investors have not yet lost faith in the project's fundamental metrics. Nevertheless, for Axelar and Secret Network, this is a serious wake-up call — it is necessary to review security mechanisms in IBC connections to avoid the recurrence of such attacks in the future.