Crypto news

22.06.2026
05:41

Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million

хакеры hackers, перемещение средств 2

On June 19, 2026, the team behind the Axelar blockchain project officially confirmed the exploitation of a critical vulnerability in the cross-chain bridge connecting Axelar to the Secret Network protocol. As a result of the attack, the perpetrator withdrew approximately $4.67 million by exploiting a bug known as an "infinite mint."

How the Attack Was Executed

According to a detailed analysis conducted by Axelar's lead developer, the Common Prefix team, the vulnerability was discovered in the ICS-20 smart contract on the Secret Network side, operating within the IBC connection of the Cosmos ecosystem. The contract was responsible for creating "wrapped" versions of assets (saToken), but the critical error lay in the lack of verification of the channel from which the incoming transaction originated. This allowed the attacker to falsify deposits and mint tokens without real backing.

Since operations on the Cosmos network did not require permission, the attacker launched their own chain with a single validator. From this chain, they sent IBC packets with fake asset denominations, leading to the unauthorized issuance of tokens.

Scale and Consequences

The theft went unnoticed for seven days. After the incident was discovered, the Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. Currently, the team is coordinating with exchanges and law enforcement agencies to track the stolen funds and facilitate their recovery.

It is important to emphasize that the incident only affected specific coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network were not compromised.

Market Reaction

Despite the report of the theft, the market reacted unexpectedly. The price of the Secret token (SCRT) surged nearly 6% at one point, reaching $0.06. After a slight correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The current market capitalization stands at approximately $20 million. Notably, SCRT has fallen 99.5% from its all-time high in October 2021 ($10.64).

Expert Opinion

This incident serves as yet another reminder that even time-tested bridges and protocols remain vulnerable to attacks at the smart contract level. The lack of validation of the incoming transaction channel is a classic error that, seemingly, should have been identified during the audit stage. The market, in turn, shows a paradoxical reaction: the short-term rise in SCRT amid the theft indicates that investors perceive the isolation of the vulnerability as a positive signal, although the fundamental security of the ecosystem remains questionable.