Axelar cross-chain bridge hacked for $4.67 million: 'infinite mint' exploit went unnoticed for a week
On June 19, blockchain infrastructure Axelar confirmed a hack of its bridge connecting the Cosmos ecosystem with the Secret Network protocol. The attacker managed to withdraw approximately $4.67 million by exploiting a critical vulnerability in the ICS-20 smart contract on the Secret side.
According to Axelar's internal analysis, the incident was made possible by an "infinite-mint bug." The contract responsible for creating wrapped versions of assets (saTokens) did not verify the source of incoming transactions — meaning it did not check which specific IBC channel the request came from. This allowed the attacker to falsify deposits.
To execute the attack, the hacker deployed their own chain in the Cosmos network with a single validator. Through this chain, they sent packets with fictitious asset denominations, after which the contract on Secret Network unconditionally generated the corresponding amount of wrapped tokens. Notably, the theft went unnoticed for seven days — only a week later did the Axelar team detect the anomaly.
Axelar's emergency committee immediately disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track and potentially recover the stolen funds.
It is important to emphasize: the incident affected only wrapped assets — saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and Secret Network's native assets (SCRT) were not compromised.
Despite the alarming news, the market reacted paradoxically: the price of SCRT briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of approximately 3%. The market capitalization stands at about $20 million. However, it is worth recalling that at its all-time high in October 2021, SCRT was worth $10.64 — current quotes are 99.5% lower.
This case is yet another reminder that even in mature ecosystems with formally audited contracts, hidden vulnerabilities remain. The lack of validation of the source of incoming transactions in IBC connections is a fundamental error that could be replicated in other bridges. I strongly recommend that project teams audit their ICS contracts for similar bugs.