Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million
On June 19, the blockchain project Axelar disclosed a serious security incident involving a bridge connecting its network to the Secret Network protocol. An attacker exploited a critical vulnerability known as "infinite minting" and withdrew approximately $4.67 million. Notably, the theft went undetected for seven days, highlighting the difficulty of tracking anomalies in cross-chain infrastructure.
An analysis conducted by Common Prefix, the primary developer of Axelar, showed that the bug was embedded in the ICS-20 smart contract on the Secret Network side, operating within the Cosmos IBC connection. The contract was responsible for creating "wrapped" versions of assets (saToken) but did not verify which channel an incoming transaction originated from. This allowed the attacker to falsify deposits and mint tokens without real backing.
Since the operations required no permission, the hacker launched their own chain within Cosmos with a single validator, from which they sent packets with fictitious asset denominations. As a result, the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH were compromised. The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The core Axelar protocol, other IBC connections, and native Secret Network assets were not affected.
We analyzed the incident with Secret Network. The attacker used an infinite minting bug in a modified CW20-ICS20 token contract on Secret to withdraw ≈$4.67 million. The attacker minted arbitrary Secret-wrapped Axelar assets on Secret by launching a new Cosmos chain with 1 validator and...
— Common Prefix (@CommonPrefix)
The Axelar team is coordinating with exchanges and law enforcement agencies to track the funds and facilitate their recovery.
Despite the report of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. Meanwhile, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes.
My comment: This incident is a classic example of how even in mature ecosystems like Cosmos IBC, fatal vulnerabilities can arise due to insufficient validation of incoming data. The "infinite minting" vulnerability is one of the most dangerous for cross-chain bridges, as it allows assets to be created out of thin air. I expect that after this case, project teams will strengthen smart contract audits, especially regarding channel and deposit verification. The market, for its part, is not panicking yet — the rise in SCRT suggests that investors believe in the team's ability to handle the consequences. However, such incidents remind us that security in DeFi is not a one-time task but an ongoing process.