Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Cost $4.67 Million

On June 19, as an analyst at Cryptalist, I recorded a serious incident in the cross-chain infrastructure. The Axelar project officially confirmed a hack of the bridge connecting its network to the Secret Network protocol. The attacker withdrew approximately $4.67 million by exploiting a critical vulnerability known as the "infinite mint bug."
The theft went unnoticed for seven days — this is an alarming signal about the insufficient responsiveness of monitoring systems.
How the Attack Was Carried Out
According to my analysis, the bug was discovered in the ICS-20 smart contract on the Secret Network side, operating within the Cosmos IBC connection. The contract created "wrapped" versions of assets (saToken) but did not verify which channel the incoming transaction came from. This allowed the attacker to falsify deposits and mint tokens without any real backing.
Since the operations required no permission, the attacker launched their own chain with a single validator in Cosmos. From this fake network, they sent packets with fake asset denominations, deceiving the bridge and generating unbacked tokens.
Reaction and Consequences
The Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections to stop new unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the funds and potentially recover them.
It is important to emphasize: the incident is limited to saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The main Axelar protocol, other IBC connections, and native assets of the Secret Network are not affected. This indicates a targeted vulnerability rather than a systemic failure.
Market Reaction
Despite the report of the theft, the price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million.
However, it is worth noting that at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current quotes. This rise amid the hack is more likely short-term speculation than fundamental recovery.
Recall that in June, hackers attacked outdated contracts in the Aztec L2 network twice within a few days, causing damages of $2.19 million and $2.15 million, respectively. This confirms a trend: attackers are actively hunting for vulnerabilities in cross-chain bridges and outdated contracts.
My expert opinion: This incident is another reminder that the security of cross-chain infrastructure remains a weak link in the DeFi ecosystem. Projects need to implement multi-layered transaction verification systems and conduct regular audits with a focus on mint function logic. Ignoring such risks could lead to even greater losses in the future.