An attacker has used an “infinite mint” bug in a vulnerable smart contract on the Secret Network to create unbacked, wrapped versions of Axelar-wrapped assets, resulting in a $4.67 million exploit.
The exploit happened on June 10 but was discovered a week later on June 17, after a failed cross-chain transaction caused by an “insufficient funds” error in the drained account was detected, blockchain research firm Common Prefix reported on Friday.
The attacker redeemed the Axelar-wrapped assets (saTokens) back over legitimate channels to drain the real Axelar-wrapped assets held in escrow because the smart contract did not verify the source of the inbound transfer before minting, so “deposits forged over an attacker-controlled channel minted genuine saTokens with no assets backing them,” Common Prefix said.
It is the latest in a series of crypto protocol hacks and exploits this month, which now number at least 22, according to DeFiLlama. The Secret Network was one of the largest, behind the Humanity Protocol and Syscoin Bridge, which lost $32 million and $8 million, respectively, earlier this month.
The Secret Network is a privacy-focused, layer-1 blockchain built on the Cosmos ecosystem, and Axelar is a decentralized interoperability network that connects different blockchain ecosystems.
The Axelar-wrapped assets minted without backing in the exploit included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH.
The attacker moved the exploited assets to the Ethereum blockchain and converted them to Ether (ETH). They then split the haul between around 30 wallets, eventually depositing the funds into exchanges including KuCoin, ChangeNow, and HitBTC, according to Common Prefix.
“If you hold Axelar-bridged saXXX tokens on Secret, please be aware their backing was affected, and your funds may be lost,” the Secret Network said on Saturday.
Stolen funds split into multiple wallets for obfuscation. Source: Common Prefix
The Secret Network’s token, Secret (SCRT), was not impacted by the incident, but it remains down 99% from its 2021 all-time high, currently trading at $0.058. Axelar’s native token, Axelar (AXL), is in a similar state, trading at $0.045, down 98% from its 2024 peak.
Axelar posted a confirmation on Saturday following “some confusion” around the incident.
“Neither Axelar nor IBC [Inter-Blockchain Communication] was compromised. The exploited token smart contract was not developed, deployed, or maintained by Axelar. Axelar’s firewalling prevented the impact from spreading to other chains,” it said.