Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss
On June 19, the blockchain project Axelar officially confirmed a hack of its bridge connecting to the Secret Network protocol. As a result of the attack, the attacker withdrew funds totaling approximately $4.67 million, exploiting a critical vulnerability known as an "infinite mint bug." Notably, the theft went undetected for seven days, highlighting the complexity and stealth of the attack.
Technical Details of the Incident
According to an analysis conducted by Axelar's core developer team, Common Prefix, the vulnerability was discovered in the ICS-20 smart contract operating on the Secret Network side within the Cosmos IBC connection. Under normal conditions, this contract creates "wrapped" versions of assets (saToken), but it did not verify which channel the incoming transaction originated from. This allowed the attacker to falsify deposits and mint tokens without any real collateral.
The attacker acted cunningly: without requiring permission, they launched their own chain with a single validator within the Cosmos ecosystem. From this chain, they sent IBC packets with fake asset denominations, enabling them to mint unbacked tokens on the Secret Network side.
Response and Scale of Damage
After the incident was discovered, the Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds and facilitate their recovery.
It is important to emphasize that the attack only affected a limited range of coins: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The core Axelar protocol, other IBC connections, and native assets of the Secret Network remained untouched. This indicates that the vulnerability was localized to a specific contract, not the infrastructure as a whole.
Market Reaction and Context
Despite such a serious event, the market reacted ambiguously. The price of the Secret token (SCRT) briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. For comparison, at its all-time high in October 2021, SCRT was worth $10.64, which is 99.5% above current levels.
This incident serves as a reminder that even in mature ecosystems like Cosmos, cross-chain bridges remain one of the most vulnerable points of infrastructure. The "infinite mint" vulnerability is a classic example of how insufficient validation of incoming data can lead to catastrophic consequences.
My expert opinion: This attack is further confirmation that smart contract security in bridges requires comprehensive auditing and formal verification. While the Axelar team acted promptly, the fact that the theft went undetected for seven days raises questions about on-chain activity monitoring. Investors should consider that such incidents, although not affecting core protocols, undermine trust in cross-chain solutions and may exert long-term downward pressure on token prices.