How a $4.7M Infinite Mint Bug Turned Secret Network’s Bridge Into a Treasure Trove for Hackers

Ever wonder what happens when a blockchain’s “infinite mint” bug meets a crafty attacker’s ambition? Well, the Secret Network just found out the hard way, with a $4.67 million exploit that’s shaking up the crypto world. Imagine minting unbacked tokens as if you’re printing money out of thin air — sounds wild, right? This sneaky exploit, discovered a week after it happened, exploited a smart contract’s blind spot, allowing fake Axelar-wrapped assets to flood the system and drain the real deal from escrow. It’s a stark reminder that even in the cutting-edge realm of privacy-focused, layer-1 blockchains, vulnerabilities can lead to jaw-dropping losses — and it’s far from an isolated incident this month. If you’re holding Axelar-bridged tokens on the Secret Network, you might want to brace yourself. Curious to dive deeper into how this all unfolded and the fallout? LEARN MORE.

An attacker has used an “infinite mint” bug in a vulnerable smart contract on the Secret Network to create unbacked, wrapped versions of Axelar-wrapped assets, resulting in a $4.67 million exploit.

The exploit happened on June 10 but was discovered a week later on June 17, after a failed cross-chain transaction caused by an “insufficient funds” error in the drained account was detected, blockchain research firm Common Prefix reported on Friday.

The attacker redeemed the Axelar-wrapped assets (saTokens) back over legitimate channels to drain the real Axelar-wrapped assets held in escrow because the smart contract did not verify the source of the inbound transfer before minting, so “deposits forged over an attacker-controlled channel minted genuine saTokens with no assets backing them,” Common Prefix said.

It is the latest in a series of crypto protocol hacks and exploits this month, which now number at least 22, according to DeFiLlama. The Secret Network was one of the largest, behind the Humanity Protocol and Syscoin Bridge, which lost $32 million and $8 million, respectively, earlier this month.

The Secret Network is a privacy-focused, layer-1 blockchain built on the Cosmos ecosystem, and Axelar is a decentralized interoperability network that connects different blockchain ecosystems.

The Axelar-wrapped assets minted without backing in the exploit included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH.

The attacker moved the exploited assets to the Ethereum blockchain and converted them to Ether (ETH). They then split the haul between around 30 wallets, eventually depositing the funds into exchanges including KuCoin, ChangeNow, and HitBTC, according to Common Prefix.

“If you hold Axelar-bridged saXXX tokens on Secret, please be aware their backing was affected, and your funds may be lost,” the Secret Network said on Saturday.

Stolen funds split into multiple wallets for obfuscation. Source: Common Prefix

The Secret Network’s token, Secret (SCRT), was not impacted by the incident, but it remains down 99% from its 2021 all-time high, currently trading at $0.058. Axelar’s native token, Axelar (AXL), is in a similar state, trading at $0.045, down 98% from its 2024 peak.

Axelar posted a confirmation on Saturday following “some confusion” around the incident.

“Neither Axelar nor IBC [Inter-Blockchain Communication] was compromised. The exploited token smart contract was not developed, deployed, or maintained by Axelar. Axelar’s firewalling prevented the impact from spreading to other chains,” it said.

Magazine: Bitcoin decouples from tech stocks, Ether eyes ‘selling wave’: Market Moves