Infinite mint vulnerability: Axelar lost $4.67 million in a bridge hack with Secret Network

On June 19, the blockchain project Axelar disclosed a hack of the bridge connecting its infrastructure with the Secret Network protocol. The attacker withdrew approximately $4.67 million by exploiting a critical "infinite mint" vulnerability in the smart contract. The theft went unnoticed for seven days, indicating serious gaps in the monitoring systems of both networks.
The bug was discovered in a modified CW20-ICS20 contract on the Secret side, operating within the Cosmos IBC connection. The algorithm created "wrapped" versions of assets (saToken) but did not verify which channel the incoming transaction originated from. This allowed the attacker to falsify deposits and mint tokens without any collateral. Simply put, the hacker launched their own chain with a single validator within Cosmos, from which they sent packets with fictitious asset denominations, deceiving the bridge. This attack vector is a classic example of insufficient cross-chain message validation, which we have repeatedly observed in other incidents.
Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery. According to the statement, the incident is limited to the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The core Axelar protocol, other IBC connections, and native assets of the Secret Network are unaffected.
Despite the report of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. Meanwhile, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% higher than current quotes. This market reaction shows that investors do not yet perceive this incident as fatal for the project, although trust in bridges remains extremely fragile.
Analytical Commentary: This hack is yet another reminder that cross-chain bridges remain the most vulnerable point in the DeFi ecosystem. The "infinite mint" vulnerability in the ICS-20 contract is not a new technique but rather the result of negligent auditing or outdated implementation. In my view, the industry urgently needs standardized security protocols for IBC connections; otherwise, such incidents will recur with alarming regularity.