A smart contract vulnerability on Secret Network enabled the unauthorized minting of about $4.67 million in Axelar-wrapped assets. The exploit occurred on June 10 and was publicly disclosed on June 19 after irregularities surfaced in cross-chain activity.
The attacker reportedly created unbacked versions of several wrapped tokens before redeeming them for underlying assets held in escrow. The incident affected Secret-wrapped Axelar assets, but Axelar said its core network and the IBC protocol were not compromised.
Infinite Mint Bug Enabled Forged Deposits
Security firm Common Prefix traced the incident to an “infinite mint” vulnerability in a modified CW20-ICS20 token contract on Secret Network. The affected contract allegedly accepted forged deposit proofs without properly verifying the source of inbound transfers.
The attacker created a new Cosmos-based chain with a single validator and used it to generate transfer proofs that the vulnerable contract treated as valid. That allowed the minting of saTokens without corresponding collateral.
The targeted assets included saUSDT, saUSDC, saDAI, saWETH, saWBTC and sawstETH. Once minted on Secret Network, the unbacked tokens were redeemed into their underlying assets.
The proceeds were later moved to Ethereum and split across multiple wallets. The available reporting indicates that the vulnerability remained unnoticed for roughly one week, with the first major warning signs appearing on June 17 after a failed cross-chain transfer.
Bridge Logic Faces Another Validation Failure
The incident highlights the persistent risk in wrapped-asset validation logic. If a contract accepts inbound transfer proofs without sufficient source verification, an attacker can potentially create claims on assets that were never legitimately bridged.
Axelar said the affected contract was not developed or maintained by its team. That distinction matters because the exploit appears tied to a specific Secret Network contract implementation rather than a compromise of Axelar’s core infrastructure.
The exploit also fits a broader pattern of cross-chain security failures involving unauthorized minting and bridge message validation weaknesses. Similar incidents have shown how small assumptions in contract logic can expose escrowed assets to large losses.
For now, the confirmed picture remains incomplete. Common Prefix has provided the main technical breakdown, funds have been traced to Ethereum, and the estimated loss stands near $4.67 million. The next key update will be a final official post-mortem clarifying the affected contract, recovery status and full movement of funds.