Secret Network bridge drained for $4.67M because nobody checked the receipts 🧾

A bridge on the Secret Network was exploited for $4.67 million on June 10 through an "infinite mint" bug that produced unbacked, wrapped versions of Axelar-wrapped assets, blockchain research firm Common Prefix reported Friday. The vulnerability went undetected until June 17, when a failed cross-chain transaction surfaced an "insufficient funds" error in a drained account.

The flaw stemmed from a smart contract that did not verify the source of inbound transfers before minting, allowing deposits from an attacker-controlled channel to generate genuine saTokens with no assets backing them, according to Common Prefix. The attacker then redeemed the saTokens through legitimate channels to withdraw the real Axelar-wrapped assets held in escrow. The assets minted without backing included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH.

The exploit is among at least 22 crypto protocol hacks recorded this month, according to DeFiLlama. It ranks behind the Humanity Protocol and Syscoin Bridge incidents, which lost $32 million and $8 million respectively earlier in June. The Secret Network is a privacy-focused, layer-1 blockchain built on the Cosmos ecosystem, while Axelar is a decentralized interoperability network that connects different blockchain ecosystems.

Common Prefix traced the stolen assets as they were bridged to the Ethereum blockchain, converted into Ether (ETH), split across roughly 30 wallets, and deposited into exchanges including KuCoin, ChangeNow and HitBTC. "If you hold Axelar-bridged saXXX tokens on Secret, please be aware their backing was affected, and your funds may be lost," the Secret Network said on Saturday.

The Secret Network's native token, Secret (SCRT), was not impacted by the incident and was trading at $0.058, down 99% from its 2021 all-time high. Axelar's native token, Axelar (AXL), was trading at $0.045, down 98% from its 2024 peak. Axelar confirmed on Saturday that neither Axelar nor Inter-Blockchain Communication was compromised, stating that the exploited token smart contract was not developed, deployed or maintained by Axelar, and that its firewalling prevented the impact from spreading to other chains.