Secret Network Suffers $4.67M Loss from Cross-Chain Bridge Exploit

ChainCatcher report: Blockchain research firm Common Prefix disclosed that on June 10, a hacker exploited a vulnerability in the Secret Network and Axelar cross-chain bridge contract to forge deposits and mint unbacked tokens, subsequently cashing out approximately $4.67 million. The attack went undetected for seven days until a legitimate cross-chain transfer failed on June 17 due to insufficient funds in the custodial account, revealing the anomaly. The root cause was the contract’s removal of two critical functions responsible for verifying transfer origins when transitioning from a custodial model to a minting model—a change made since its deployment in early 2023 without any external audit. Secret Network noted that Axelar’s bridge infrastructure failed to trigger any effective anomaly detection or emergency pause mechanisms before the large-scale asset theft. The stolen funds were routed through Osmosis to Ethereum, exchanged for ETH via CoW Protocol, and then dispersed to exchanges including KuCoin, ChangeNow, and HitBTC. Approximately $672,000 remains frozen in the attacker’s Axelar wallet. Secret Network has requested Axelar to freeze this address, but the request was denied. Axelar emphasized that its core protocol was never compromised and that the exploited contract was neither developed nor maintained by Axelar. Axelar has since disabled the affected cross-chain connection and stated it is coordinating with exchanges and law enforcement agencies to follow up.