The Axelar and Secret Network bridge has been hacked: a hacker withdrew $4.67 million through an "infinite mint" vulnerability.
On June 19, the team behind the blockchain project Axelar officially confirmed a hack of the cross-chain bridge connecting their network to the Secret Network protocol. The incident resulted in a loss of approximately $4.67 million, which was withdrawn by the attacker using a critical vulnerability known as "infinite mint."
Analysis conducted by the development team revealed that the vulnerability was embedded in the ICS-20 smart contract on the Secret Network side, operating within the Cosmos IBC connection. The issue was that the algorithm for creating "wrapped" versions of assets (saToken) did not verify which specific channel an incoming transaction originated from. This allowed the attacker to fabricate deposits and mint tokens without any real backing.
The exploitation process was technically sophisticated but simple to execute: the attacker launched their own Cosmos chain with a single validator, through which they sent packets with fictitious denominations. Notably, the theft went unnoticed for seven days. The Axelar Emergency Committee promptly disconnected the Secret and Secret-SNIP connections to prevent further unauthorized withdrawals. The team is currently coordinating with exchanges and law enforcement agencies to track and potentially recover the stolen assets.
The incident exclusively affected saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH tokens. The core Axelar protocol, other IBC connections, and native assets of the Secret Network were not impacted.
The market reaction was unexpectedly positive for the native token of the Secret Network (SCRT). Despite the news of the hack, the price of SCRT surged nearly 6%, reaching $0.06. After a slight correction, the asset is trading around $0.058, maintaining a daily gain of approximately 3%. The project's market capitalization stands at roughly $20 million.
For context: at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% higher than current quotes. This hack, while significant in amount, appears to have been perceived by the market as a local issue with a specific bridge rather than a fundamental blow to the Secret Network project.
Expert commentary: Attacks on bridges using "infinite mint" vulnerabilities have already become a classic example of the risks associated with cross-chain interactions. The lack of verification of the incoming transaction channel is a crude but common mistake in contracts that attempt to simplify the asset wrapping process. Investors should pay closer attention to projects where verification mechanisms are not multi-layered and do not include audits by independent experts. The current rise in SCRT may be a short-term pump on the news, and fundamental risks to pool liquidity remain high.