The "infinite mint" vulnerability in the Axelar and Secret Network bridge led to a theft of $4.67 million.

The cross-chain protocol Axelar has disclosed a security incident related to the bridge connecting it to the Secret Network. An attacker exploited a critical smart contract vulnerability, allowing them to withdraw funds totaling approximately $4.67 million. The theft went unnoticed for seven days, indicating insufficient responsiveness in the monitoring systems.
The attack is based on an "infinite mint" bug in a modified CW20-ICS20 contract deployed on the Secret Network side. This contract is responsible for creating "wrapped" versions of assets (saToken) within the Cosmos IBC ecosystem. The vulnerability stemmed from a lack of verification of the channel from which the incoming transaction originated. The attacker was able to fake deposits by launching a new Cosmos chain with a single validator and mint tokens without real backing.
The Axelar Emergency Committee promptly disabled the Secret and Secret-SNIP connections to prevent further unauthorized operations. The project team is coordinating with exchanges and law enforcement agencies to track and recover the stolen funds. It is important to emphasize that the incident exclusively affected the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched.
Despite the severity of the hack, the market reacted ambiguously. The price of the Secret token (SCRT) rose nearly 6% at the time of publication, reaching $0.06, before correcting to $0.058, maintaining a daily gain of about 3%. The asset's market capitalization is approximately $20 million. However, it is worth noting that the token is trading 99.5% below its all-time high of $10.64, reached in October 2021.
My analysis: This incident is yet another reminder that cross-chain bridges remain among the most vulnerable elements of decentralized infrastructure. Despite claims of security, bugs in smart contracts, especially those related to channel verification, can lead to catastrophic consequences. The market, however, demonstrates surprising resilience, which may indicate investors becoming accustomed to such events. Restoring trust in the bridge will require not only the return of funds but also a significant enhancement of code audits.