Secret Network–Axelar Bridge Drained $4.67 M via Infinite-Mint Bug Hidden for Seven Days
An attacker exploited a removed source-validation check to mint unbacked wrapped tokens on Secret Network, redeeming them through Axelar's legitimate channel — and nobody noticed for a week.
Key Takeaways
- An infinite-mint bug in the Secret–Axelar bridge contract let an attacker manufacture unbacked wrapped tokens and redeem them for $4.67 million in real assets.
- The exploit ran silently from 10 June to 17 June 2026 — discovered only when an incidental transaction failure revealed the escrow was overdrawn.
- Root cause: two source-channel validation functions were removed when the contract was adapted for the Axelar integration, with no external re-audit.
- Axelar's core protocol was not compromised; holders of Axelar-bridged saXXX tokens on Secret Network face potential total loss on those positions.
On 10 June 2026, an attacker began quietly emptying the escrow reserves backing Secret Network's Axelar bridge. By the time anyone noticed — seven days later, on 17 June — $4.67 million had been drained across seven wrapped-token pools: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The first alert was not a monitoring system. It was a transaction failure whose error message revealed that more tokens had been bridged out of Secret than had ever been bridged in.
How the Exploit Worked
The attack exploited a missing source-validation check in Secret Network's customised bridge contract. The attacker spun up a single-validator Cosmos chain and opened an IBC channel directly to the bridge. By self-relaying forged packets carrying token denominations that matched the contract's internal allow-list, the attacker triggered the mint path: the contract issued Secret-wrapped tokens against those fictitious deposits without verifying which channel the packets had actually arrived on.
Redeeming the minted balances back through Axelar's legitimate channel then released real assets held in escrow — a classic phantom-mint double-spend. Because the minting and redemption were spread across seven days, no single transaction was large enough to be immediately conspicuous.
Seven Days in the Dark
No on-chain monitoring caught the widening gap between minted token supply and escrowed backing. There was no reserve-reconciliation check, no anomaly detection, no alert. The discovery mechanism — a failed transfer with a revealing error message — was entirely incidental. That a bridge holding millions in user funds could be drained incrementally over a week with no automated detection is a significant operational failure, independent of the root code vulnerability.
Root Cause: Validation Removed, Audit Skipped
The bridge contract had originally followed an escrow model. When it was reworked for the Axelar integration, two functions responsible for validating a packet's source channel were removed. Without those checks, the contract could not distinguish a packet arriving over Axelar's authorised channel from one arriving over an attacker-controlled channel with matching token names. Secret Network's post-mortem noted that no external audit was requested as part of the integration — leaving a critical trust-boundary flaw silently in production.
Response and Immediate Impact
Axelar's emergency committee moved to disable both the Secret and Secret-SNIP connections after the exploit was identified. Axelar confirmed its core protocol was not compromised and the flaw was isolated to the customised Secret-side contract. Secret Network issued a public warning: "If you hold Axelar-bridged saXXX tokens on Secret, please be aware their backing was affected and your funds may be lost."
Wider Implications for Bridge Security
Cross-chain bridges remain DeFi's most consistently exploited attack surface, and this incident follows a familiar pattern: adapt a contract for a new integration, skip the re-audit, lose user funds. Two specific lessons stand out. First, any modification to a deployed bridge contract — even a refactor — should trigger a full external audit of the changed code paths, particularly trust-boundary and source-validation logic. Second, bridges must run continuous reserve-reconciliation checks; relying on incidental transaction failures to surface a reserve shortfall is not a monitoring strategy.
Frequently Asked Questions
What is an infinite-mint exploit in a cross-chain bridge?
An infinite-mint exploit occurs when an attacker can trigger a bridge contract to issue wrapped tokens without providing equivalent backing assets — effectively printing money. Here, forged IBC packets convinced the Secret-side contract to mint wrapped tokens against deposits that never existed, allowing those tokens to then be redeemed for real assets held in escrow.
Was the Axelar network itself compromised in this exploit?
No. Axelar confirmed its core protocol was unaffected. The vulnerability existed in a customised Secret Network-side bridge contract that had been adapted for the Axelar integration, not in Axelar's own infrastructure. Axelar's emergency committee disabled the affected bridge connections as a precaution after the exploit was identified.
How can bridge operators prevent this class of attack?
Three controls matter most: (1) treat any contract modification as equivalent to a new deployment — mandate external audit of changed code paths, especially source-validation logic; (2) run continuous on-chain reserve-reconciliation checks that alert when minted supply diverges from escrowed backing; (3) implement channel allow-lists that cryptographically verify packet origin, not just token denomination names.
Sources
- 1Secret bridge exploited for $4.67 million a week before anyone notices — Web3 Is Going Great
- 2Secret Network's Axelar bridge drained for $4.67 million in infinite-mint exploit that went unnoticed for seven days — The Block
- 3Secret Network bridge exploited for $4.7M with 'infinite mint' bug — CoinTelegraph via TradingView
- 4How a Custom Code Flaw Cost Secret Network $4.67 Million — Crypto Times