Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million

On June 19, the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting its network to the Secret Network protocol. The attack, based on exploiting an "infinite mint" vulnerability, allowed the attacker to withdraw assets worth approximately $4.67 million. The incident went unnoticed for seven days, highlighting the complexity of monitoring cross-network operations in the Cosmos ecosystem.
Technical Details of the Attack
According to an analysis conducted by Axelar's lead developer, Common Prefix, the vulnerability was discovered in the ICS-20 smart contract on the Secret Network side. This contract is responsible for creating "wrapped" versions of assets (saToken) in the Cosmos IBC connection. However, the key error was the lack of verification of the channel from which the incoming transaction originated. This allowed the attacker to falsify deposits and mint tokens without real backing.
The attacker launched their own Cosmos chain with a single validator, from which they sent packets with fake asset denominations. Since the operations did not require permission, they were able to infinitely mint tokens until the vulnerability was discovered.
Response and Scale of Damage
Axelar's Emergency Committee immediately disabled the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and potentially recover them. It is important to note that the incident only affected specific coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets remained untouched.
Market and Consequences
Despite the report of the theft, the price of the Secret token (SCRT) showed an unexpected increase—nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization is approximately $20 million. Notably, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This paradoxical growth may be linked to short-term speculation amid the news, but in the long term, trust in the protocol could be shaken.
This incident serves as a reminder of the risks associated with outdated contracts in L2 networks. For example, in June, hackers attacked Aztec twice, causing damages of $2.19 million and $2.15 million. "Infinite mint" vulnerabilities are becoming increasingly common in the Cosmos ecosystem, requiring teams to conduct more thorough audits and implement channel verification mechanisms.
Expert Opinion: This hack is another signal that cross-chain bridges remain a weak link in DeFi infrastructure. The lack of channel verification in IBC connections is a basic error that could have been prevented at the design stage. The market will likely respond by tightening audit requirements and enhancing monitoring of cross-network transactions, which will ultimately benefit the entire ecosystem.