Infinite-mint exploit drains $4.67M from Axelar bridge
A flaw in a Secret Network token contract allowed an attacker to mint unbacked saTokens and redeem $4.67 million from the Axelar bridge; the theft went undetected for seven days.
An attacker exploited a token contract on Secret Network to mint unbacked Secret-wrapped Axelar assets (saTokens) and withdraw $4.67 million from the Axelar bridge, investigators found. The withdrawals occurred on June 10 and the shortfall was discovered on June 17.
The breach targeted a modified CW20-ICS20 contract that handles incoming IBC transfers and issues saTokens. The contract did not verify which IBC channel deposits came from. That omission let the attacker forge packets that matched token denominations on the contract’s allow-list, causing the contract to mint saTokens with no collateral behind them.
Opening an IBC channel requires no permission. The attacker created a single-validator Cosmos chain, opened a channel to the bridge contract and self-relayed forged packets. Because the contract could not distinguish forged packets from legitimate transfers over Axelar’s channel, the attacker redeemed the newly minted saTokens on the real Axelar channel and released the actual assets held in escrow.
Common Prefix, the blockchain research firm and lead Axelar steward that published a postmortem, traced seven withdrawals and identified the affected tokens as saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH. The firm traced the vulnerability to the contract’s initial deployment in early 2023 and to a March 5 migration that carried the same missing channel checks into updated bytecode.
Secret Network’s post explained that the bridge contract had been adapted from an escrow model to a mint model for the Axelar integration and that two functions that would have validated a transfer’s source were removed during that change. The Secret post also noted that Axelar did not request an external audit as part of the integration.
Secret pointed to the network’s encrypted balances as a factor that delayed detection: because balances are hidden by default, the missing collateral did not appear on-chain in the same way an emptied pool would on other networks. Secret’s post criticized bridge monitoring and wrote, “no effective monitoring, anomaly-detection, or emergency pause mechanisms were triggered within the Axelar bridge infrastructure to identify and temporarily halt unusually large or suspicious transfers before the bridge assets were substantially drained from Axelar.”
Axelar posted that its core protocol and IBC were not compromised and emphasized that the exploited token smart contract was not developed, deployed or maintained by Axelar. The Axelar team disabled the Secret and Secret-SNIP connections and is coordinating with exchanges and law enforcement. No timeline has been given for restoring the connection.
Tracing by Common Prefix shows the attacker moved stolen assets to Axelar, routed them through Osmosis using automated packet-forwarding, then bridged to Ethereum. Most funds were swapped for ether on a decentralized venue, split into about 30 transfers to fresh wallets, and then sent to deposit addresses at several exchanges. At the time of the post, Secret identified roughly $770,000 of stolen funds remaining in the attacker’s Axelar wallet and asked Axelar to freeze or help recover those assets; Axelar has not frozen the funds.
The incident follows other major cross-chain bridge exploits earlier in the year. Common Prefix and network teams continue to trace flows and assess remediation steps.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.








