Secret Network's Axelar Bridge Drained $4.67M via Infinite-Mint Flaw

Secret Network's cross-chain bridge to Axelar has been suspended after an attacker exploited a years-old minting flaw to drain $4.67 million in wrapped tokens over seven undetected days.

Both teams disclosed the incident on June 19, confirming approximately $4.67 million in assets were taken from the bridge's Axelar-to-Secret IBC connection. The attack itself began on June 10 but went unnoticed for seven days until a routine cross-chain transfer failed because the bridge's escrow account had been depleted.

Minting Flaw

The vulnerability lived in a modified CW20-ICS20 smart contract deployed on Secret Network for the Axelar bridge connection. Security research firm Common Prefix published a technical breakdown of the incident, finding that two critical validation checks had been commented out from the contract's packet-receive function: one that should have verified incoming token denominations against the legitimate source channel, and one that should have capped outflows to amounts genuinely held in escrow.

The flaw dates to the contract's initial deployment in March 2023 and survived a migration on March 5, 2026 that updated the bytecode for new features but preserved the missing checks. Secret Network's default transaction encryption obscured the growing shortfall from on-chain observers; the attack ran for seven days before a failed transfer surfaced it.

To exploit the gap, the attacker spun up a single-validator Cosmos SDK chain and opened a new IBC channel to Secret Network. IBC channel creation is permissionless by design, meaning any chain can initiate a connection. The attacker self-relayed forged IBC packets carrying bare denominations that matched the bridge's allow-list. With both validation checks missing, the contract minted unbacked wrapped tokens on Secret. The attacker then redeemed those minted tokens over the legitimate Axelar channel to drain the real escrowed assets on the other side.

Seven Tokens Drained

The assets taken were seven Axelar-wrapped tokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. According to KuCoin's reporting, Common Prefix traced the stolen assets through Osmosis and Ethereum. Both teams said they are reaching out to relevant exchanges and law enforcement agencies.

Approximately $600,000 of the drained assets had been deposited by users into Shade Protocol smart contracts. Shade did not deploy the exploited contracts. Ecosystem contributor CarterWoetzel wrote in the Shade forum that bridge-level safeguards were "the appropriate place to detect and halt this class of attack, and that did not happen here."

Disputed Responsibility

Both teams issued a joint disclosure and said they are engaging with exchanges and law enforcement. The Shade Protocol forum noted that fund recovery discussions are led by Secret and Axelar, as the parties that control the affected infrastructure.

Axelar stated the issue was isolated to the Secret-side ICS-20 smart contract and that no other IBC connections or Axelar integrations were affected. Axelar has separately clarified the exploited contract "was not developed, deployed, or maintained" by its team. Secret Network's disclosure placed the flaw in contracts tied to the Axelar integration. Neither party has published a full post-mortem as of June 22.

Axelar's Emergency Committee disabled the Secret and Secret-SNIP bridge connections after the disclosure. Cross-chain router Squid also removed Secret Network support from its frontend. The Common Prefix report remains the most detailed public accounting of the flaw.

SCRT Price

Secret Network's SCRT token traded at $0.0558 at the time of writing, down 33% over the prior 30 days and near its all-time low of $0.0553. Axelar's AXL traded at $0.0426, down 29% over the same period. The bridge suspension leaves SCRT with limited cross-chain liquidity routes while both teams complete their investigation.

[[chartBlock BINANCE:SCRTUSDT]]