Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million

On June 19, the Axelar team officially confirmed the exploitation of a critical vulnerability in the cross-chain bridge connecting their protocol to Secret Network. The attacker took advantage of an "infinite mint" bug, allowing them to withdraw digital assets worth approximately $4.67 million. Notably, the theft went unnoticed for seven days, indicating insufficient on-chain activity monitoring by the bridge operators.
Technical Details of the Attack
According to an analysis conducted by Axelar's lead developer, Common Prefix, the vulnerability was embedded in the ICS-20 smart contract on the Secret Network side within the Cosmos IBC connection. The contract was responsible for creating "wrapped" versions of assets (saToken) but did not verify which specific channel the incoming transaction originated from. This allowed the attacker to falsify deposits and mint tokens without any real backing.
Since the operations required no permission, the hacker deployed their own chain within the Cosmos ecosystem with a single validator, from which they sent packets with fake asset denominations. Thus, they created the illusion of legitimate transfers, while in reality simply "printing" tokens out of thin air.
Reaction and Scope of the Incident
The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery. According to an official statement, the incident exclusively affected the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The core Axelar protocol, other IBC connections, and native Secret Network assets remained untouched.
Market Does Not Panic
Despite the severity of the incident, the market reacted with unexpected calm. The price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. However, it is worth noting that at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This suggests that the market had already priced in risks for the asset, and the news of the hack did not come as a shock.

Expert Opinion
This incident once again highlights the systemic vulnerability of cross-chain bridges built on modified contracts without proper security audits. The "infinite mint" bug is a classic error that should have been identified during the testing phase. For investors, this is yet another signal that assets locked in bridges carry elevated risk, and diversification across different protocols is not just a strategy but a necessity.