Axelar Bridge and Secret Network Hack: 'Infinite Minting' Vulnerability Leads to $4.67 Million Loss

On June 19, the Axelar blockchain infrastructure officially confirmed a hack of the cross-chain bridge connecting it to the Secret Network protocol. The attacker withdrew approximately $4.67 million by exploiting a critical smart contract bug known as an "infinite mint bug." Notably, the theft went undetected for seven days, indicating an insufficient level of on-chain activity monitoring on the Secret side.
Technical Details of the Attack
As determined by the Common Prefix team, the primary developer of Axelar, the vulnerability was embedded in the modified CW20-ICS20 contract used in the IBC connection of Cosmos on the Secret Network side. The algorithm was responsible for creating "wrapped" versions of assets (saToken) but did not verify the channel from which the incoming transaction originated. This allowed the attacker to falsify deposits and mint tokens without any backing.
Since operations in the Cosmos network did not require permission, the attacker launched their own chain with a single validator. From this chain, they sent packets with fictitious asset denominations, which the contract on Secret accepted as legitimate, issuing unbacked saTokens.
Reaction and Consequences
The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track and potentially recover the funds.
The incident affected only wrapped assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched. This narrows the scope of the damage but does not diminish the severity of the vulnerability.
Market Reaction
Despite the public disclosure of the theft, the price of the Secret Network native token (SCRT) paradoxically rose by nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily increase of approximately 3%. The market capitalization stands at about $20 million. However, it is worth noting that since its all-time high in October 2021 ($10.64), SCRT has lost over 99.5% of its value.

This incident is yet another reminder that, even with apparent reliability, cross-chain bridges remain one of the most vulnerable points in the ecosystem. The "infinite mint" vulnerability is classic but, as practice shows, still not fully eradicated. In my opinion, project teams need to implement multi-level channel verification systems and conduct audits with a focus on minting logic, rather than just standard attack vectors.