Axelar Bridge and Secret Network Hack: 'Infinite Mint' Vulnerability Leads to $4.67 Million Loss

On June 19, the Axelar blockchain protocol officially confirmed a hack of the cross-chain bridge connecting it to the Secret Network. The attacker exploited a critical vulnerability known as "infinite mint" and siphoned off approximately $4.67 million. The theft went unnoticed for seven days — a serious signal of shortcomings in cross-network transaction monitoring.
According to an analysis conducted by the Common Prefix development team, the bug was found in the ICS-20 smart contract on the Secret Network side, which operates within the Cosmos ecosystem via an IBC connection. The issue was that the algorithm creating "wrapped" versions of assets (saToken) did not verify which channel the incoming transaction came from. This allowed the attacker to fake deposits and mint tokens without real backing.
To carry out the attack, the attacker launched their own chain with a single validator in Cosmos, from which they sent packets with fake asset denominations. Since the operations required no permission, the bridge simply accepted this false data, creating unbacked saTokens.
Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections to halt further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the stolen funds. It is important to emphasize: the incident only affected saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH coins. The main Axelar protocol, other IBC connections, and native Secret Network assets remained untouched.
Despite such a serious event, the market reacted paradoxically. The price of the Secret (SCRT) token briefly surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of approximately 3%. The market capitalization stands at about $20 million. For context, at its all-time high in October 2021, SCRT was worth $10.64 — current quotes are 99.5% lower. This is a classic example of how short-term speculative sentiment can ignore fundamental risks.
Against the backdrop of this incident, it is worth recalling that in June, hackers twice attacked outdated contracts in the Aztec L2 network, stealing $2.19 million and $2.15 million respectively. The market is clearly entering a phase where cross-chain bridge vulnerabilities are becoming a primary target — and this requires all projects to rethink their security architecture.
Expert opinion: The Axelar hack is not an accident but a pattern. The "infinite mint" vulnerability is a classic problem for bridges, where trust in the data transmission channel is not verified at the contract level. Until teams implement mandatory transaction source verification and multi-layered audit mechanisms, such incidents will recur. Investors should take a closer look at tokens associated with bridges — their liquidity may prove illusory.