Axelar and Secret Network: $4.67 million bridge hack — 'infinite mint' vulnerability exposed

On June 19, the blockchain infrastructure project Axelar officially confirmed a hack of the bridge connecting its network with the privacy protocol Secret Network. The attack, which lasted a full seven days, went unnoticed until the attacker withdrew approximately $4.67 million by exploiting a critical vulnerability known as an "infinite-mint bug."
Attack Details: How the Hacker Bypassed Security
The incident was analyzed by the Common Prefix team, the primary developer of Axelar. The bug was found in the ICS-20 smart contract, a modified version of CW20-ICS20 operating on the Secret Network side within the Cosmos IBC connection. The vulnerability lay in the fact that the algorithm creating "wrapped" assets (saToken — Secret-wrapped Axelar assets) did not verify which channel the incoming transaction came from. This allowed the attacker to fabricate deposits and mint tokens without any real backing.
To execute the attack, the hacker launched a new chain within the Cosmos ecosystem with a single validator. From this controlled network, they sent packets with fake asset denominations, effectively allowing them to "print" an unlimited number of tokens. The Axelar Emergency Committee immediately disconnected the Secret and Secret-SNIP connections to prevent further unauthorized transfers. The team is coordinating with exchanges and law enforcement agencies to track the stolen funds and facilitate their return.
Consequences and Market Reaction
It is important to emphasize that the incident affected exclusively the coins saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The main Axelar protocol, other IBC connections, and native Secret Network assets remained untouched. Nevertheless, vulnerabilities in bridges are always a signal of risks for the entire ecosystem.
Despite the shocking news, the market reacted unexpectedly: the price of the Secret token (SCRT) momentarily surged nearly 6%, reaching $0.06. After a correction, the asset is trading around $0.058, maintaining a daily gain of about 3%. The market capitalization stands at approximately $20 million. However, it is worth noting that from its all-time high in October 2021 ($10.64), SCRT has fallen by 99.5%, illustrating how deeply the current bearish pressure affects the asset.
Expert Analysis
This incident serves as another reminder that bridges remain the most vulnerable point in DeFi infrastructure. The "infinite-mint" vulnerability is a classic but dangerous error in contract logic that occurs when developers fail to account for data source verification. In this case, the lack of input channel validation allowed the hacker to bypass all security mechanisms. For investors, this is a signal: before using cross-chain solutions, it is worth thoroughly analyzing smart contract audits, especially those dealing with asset "wrappers." The market appears to have already priced the risks into SCRT, but the project's long-term reputation may suffer if radical security enhancement measures are not taken.