Crypto news

22.06.2026
08:40

$4.67 million stolen: Axelar reveals critical 'infinite mint' bug in bridge with Secret Network

hackers, fund movement

On June 19, the team behind the cross-chain protocol Axelar confirmed the exploitation of a vulnerability in the bridge connecting its infrastructure to the Secret Network. The attacker managed to withdraw digital assets worth approximately $4.67 million by exploiting a so-called "infinite mint" bug. Notably, the incident went unnoticed for a full seven days.

Technical Details of the Attack

An analysis conducted by Axelar's lead developer, the Common Prefix team, identified the root of the problem in a modified CW20-ICS20 smart contract on the Secret Network side. This contract was responsible for creating "wrapped" versions of Axelar assets (saToken tokens) in the Cosmos ecosystem via an IBC connection. The fatal error was the lack of channel verification for incoming transactions. The algorithm blindly trusted any packet, allowing the attacker to fake deposits and mint tokens not backed by real funds.

To execute the scheme, the hacker launched their own chain on the Cosmos network with a single validator. Through this channel, they sent packets with fictitious asset denominations, which the contract on Secret accepted as legitimate deposits. This allowed unlimited minting of saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH, which were then withdrawn to other networks.

Reaction and Consequences

Axelar's Emergency Committee promptly disabled the Secret and Secret-SNIP connections, halting the flow of unauthorized transactions. The team is currently coordinating with exchanges and law enforcement agencies to track the stolen funds. It is important to emphasize that the incident affected only the wrapped assets listed above. The core Axelar protocol, other IBC connections, and native Secret Network tokens remained untouched.

A curious market reaction: despite the news of the theft, the price of Secret's native token (SCRT) briefly surged nearly 6%, reaching $0.06. After a slight correction, the asset is trading around $0.058, showing a daily gain of about 3%. The project's market capitalization stands at approximately $20 million. For context, SCRT's all-time high was recorded in October 2021 at $10.64, which is over 99% above current levels.

My expert commentary: This incident is a classic example of a vulnerability in cross-chain communication logic. The problem lies not in the Axelar protocol itself, but in the contract implementation on the Secret Network side. The lack of incoming channel validation is a crude, yet unfortunately common, mistake in complex multi-chain environments. This case serves as a stark reminder: bridge security is determined by the weakest link in the contract chain. Projects must implement multi-layered checks, especially when dealing with IBC packets, where trust in the source must be strictly verified.