Crypto news

22.06.2026
02:56

Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss

hackers, fund movement

On June 19, the Axelar team officially confirmed the hack of the cross-chain bridge connecting the Axelar ecosystem with the Secret Network protocol. The attacker managed to withdraw funds totaling approximately $4.67 million by exploiting a critical vulnerability known as "infinite mint." Notably, the attack went unnoticed for seven days, indicating insufficient monitoring infrastructure on the Secret Network side.

As determined by Axelar's lead developer, Common Prefix, the bug was embedded in the ICS-20 smart contract, modified to work with Secret Network tokens. This contract, deployed on the Cosmos IBC connection, was responsible for creating "wrapped" versions of assets (saToken). The key error was the lack of verification of the channel from which the incoming transaction originated. This allowed the attacker to falsify deposits and mint tokens without any real collateral.

To execute the attack, the attacker launched their own chain in the Cosmos ecosystem with a single validator. From this chain, they sent packets with fictitious asset denominations, which the ICS-20 contract accepted as legitimate. Thus, the hacker was able to mint an unlimited number of tokens without depositing real funds.

The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The project team is already coordinating with exchanges and law enforcement agencies to track the stolen funds and potentially recover them. It is important to emphasize that the incident affected only saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH tokens. The core Axelar protocol, other IBC connections, and native Secret Network assets were not compromised.

Despite the news of the theft, the market reacted ambiguously. The price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The project's market capitalization stands at approximately $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current levels. This decline demonstrates how much the market had already discounted the risks associated with the project.

Expert opinion. This incident is yet another reminder that cross-chain bridges remain one of the most vulnerable points in DeFi infrastructure. The channel verification error is a simple but devastating bug that could have been identified during the audit stage. Nevertheless, the market showed surprising resilience: the rise in SCRT after the news suggests that investors may perceive this attack as an isolated issue rather than a systemic failure. However, trust in such bridges will not be restored quickly, especially given that the vulnerability went unnoticed for an entire week.