Secret Network’s Axelar bridge drained for $4.67 million in infinite-mint exploit that went unnoticed for seven days

An attacker drained roughly $4.67 million from Secret Network's Axelar bridge by exploiting a flaw in a custom token contract, and the theft sat undetected for seven days, according to a postmortem published Friday by blockchain research firm and lead Axelar steward Common Prefix.

The exploit hit a modified CW20-ICS20 contract on Secret, the connection that handles assets bridged in from Axelar. The contract minted Secret-wrapped versions of Axelar-wrapped assets, known as saTokens, without checking which channel an inbound transfer actually came from. That gap let the attacker forge deposits and mint genuine saTokens with nothing backing them.

Opening an IBC channel requires no permission, so in an arguably clever move, the attacker spun up a single-validator Cosmos chain, opened a channel to the bridge contract, and self-relayed forged packets carrying token denominations that matched the contract's allow-list. The contract could not tell those bare denominations apart from ones arriving over Axelar's real channel, so it minted saTokens against them. Redeeming the minted balances back over the legitimate Axelar channel then released the actual assets held in escrow.

The drain spanned seven saTokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH, per Common Prefix.