The "infinite mint" vulnerability in the Axelar and Secret Network bridge led to a loss of $4.67 million.

On June 19, the blockchain project Axelar officially confirmed the hack of the cross-chain bridge connecting it to the Secret Network protocol. As a result of the attack, the attacker withdrew assets worth approximately $4.67 million by exploiting a critical vulnerability in the smart contract known as "infinite mint."
Details of the Bug Exploitation
According to the team at Common Prefix, the primary developer of Axelar, the vulnerability was found in a modified CW20-ICS20 contract deployed on the Secret Network side as part of an IBC connection with the Cosmos ecosystem. The issue was that the algorithm for creating "wrapped" tokens (saToken) did not verify the channel from which the incoming transaction originated. This allowed the attacker to falsify deposits and mint wrapped versions of assets without any collateral.
The attacker launched their own chain in Cosmos with a single validator, from which they sent packets with fictitious token denominations. The operations required no permission, making the attack technically simple and fast. Notably, the theft went unnoticed for seven days, indicating shortcomings in the monitoring and auditing systems on the bridge side.
Consequences and Response Measures
After the incident was discovered, the Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The project team is coordinating with exchanges and law enforcement agencies to track the stolen funds and potentially recover them. According to an official statement, the attack only affected specific coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets remained untouched.
Market and SCRT Price
Despite the severity of the incident, the market reacted unexpectedly. The price of the native Secret Network token (SCRT) surged nearly 6% at one point, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The current market capitalization is approximately $20 million. For comparison, at its all-time high in October 2021, SCRT was worth $10.64 — 99.5% above current quotes, highlighting a deep bearish trend for this asset.
My analysis: This incident is yet another reminder that even in mature cross-chain protocols, smart contract vulnerabilities remain a critical point of failure. The lack of channel verification in the IBC connection is a simple but devastating mistake. Interestingly, the market did not punish SCRT for the hack, which may indicate that investors have already priced in low liquidity and high risks. However, for Axelar, this is a serious reputational blow that could undermine trust in its bridge solutions in the long term.