Axelar Clarifies $4.67M Secret Network Bridge Exploit Origin

• Axelar stated the exploit originated from a forked Secret Network contract that removed key token minting safeguards.
• The vulnerability enabled attackers to mint unbacked assets and drain escrowed funds through legitimate bridge channels.
• Axelar disabled Secret Network connections after discovery and said no other chains or core protocol components were affected.

Axelar Network has moved to clarify its role in a $4.67 million exploit linked to Secret Network, stating that neither Axelar nor the Inter-Blockchain Communication (IBC) protocol suffered a compromise. The clarification followed a postmortem from Common Prefix, which traced the June 10 incident to a vulnerable smart contract on Secret Network. According to Axelar, the exploited contract was not developed, deployed, or maintained by its team.

According to Axelar, the exploited contract was a fork of the CW20-ICS20 implementation used to wrap assets arriving through IBC. The company said developers removed two core security checks that normally prevent unauthorized token minting.

As a result, the modified contract allowed an “infinite mint” vulnerability. Axelar noted that the altered version changed the contract’s trust assumptions but did not undergo a new security audit.

Common Prefix reached a similar conclusion in its investigation. The research firm found that the contract minted Secret-wrapped assets, known as saTokens, without validating the source channel of inbound transfers.

That flaw allowed an attacker to create a single-validator Cosmos chain and open an IBC connection to the contract. The attacker then sent forged packets carrying approved token denominations and received legitimate saTokens without collateral backing them.

The exploit affected seven assets, including saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. According to Common Prefix, the attacker redeemed those assets through Axelar’s legitimate channel and withdrew funds held in escrow.

Notably, investigators traced the vulnerability to the contract’s original deployment in early 2023. A March 5 migration retained the same missing validation checks. The theft remained unnoticed until June 17. At that point, a routine cross-chain transfer failed because the escrow account lacked sufficient funds.

Secret Network stated that encrypted balances made the shortfall difficult to detect. The network also said the functions responsible for verifying transfer sources were removed during an earlier contract redesign.

Following the discovery, Axelar disabled its Secret and Secret-SNIP connections. In addition, cross-chain router Squid removed Secret Network from its interface.

Axelar maintained that its firewalling measures prevented the issue from spreading beyond the affected contract. The company added that no other chains, escrow accounts, channels, or components of its core protocol were impacted.

Meanwhile, Common Prefix traced the stolen assets through Osmosis and Ethereum before exchanges and law enforcement became involved. Axelar said it continues coordinating with relevant parties while keeping the affected connection offline.