Secret Network's bridge lost $4.67 million through an infinite mint bug in a smart contract. The attack ran from June 10 but sat undetected for a full week. Discovery came through a routine "insufficient funds" error in a failed transaction that exposed a drained account. Blockchain research firm Common Prefix documented the exploit on Friday, June 20, publishing the first detailed breakdown of how the attack worked.
Two Projects, One Weak Link
Secret Network is a focused on privacy L1 blockchain built on Cosmos, where smart contracts process encrypted data invisible to outside observers. Axelar is a decentralized interoperability network connecting different ecosystems through a shared message passing protocol. The bridge between them gave the attacker the entry point they needed.
The vulnerable smart contract did not check the source of an incoming transfer before minting tokens. The attacker sent forged "deposits" through a channel they controlled, receiving genuine saTokens in return with no real backing. Once in possession of the tokens, they redeemed them through legitimate channels and drained the real wrapped assets from escrow. Affected positions included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH.
Common Prefix described the mechanism. The attacker obtained genuine saTokens without any real backing by routing forged deposits through a channel they controlled. The escrow emptied gradually, and the fabricated tokens became real money. This is a textbook infinite mint. Rather than breaking into the vault directly, the attacker broke the mechanism that grants access to it.
Seven Days Undetected
The attack ran quietly from June 10 to June 17. The attacker built up balances slowly, staying below thresholds that would trigger monitoring alerts. No automated system raised a flag. The exposure came by accident. A failed transaction threw an "insufficient funds" error from a depleted account, which prompted Common Prefix to investigate and publish its findings on June 20.
Secret Network warned token holders on June 21: "If you hold saXXX tokens bridged through Axelar on Secret, please be aware their backing was affected, and your funds may be lost." The project has not announced a compensation plan or a recovery timeline. Holders of affected assets have no clear path to restitution at this point.
Seven days of undetected activity shows the attacker understood the protocol architecture well. They deliberately avoided large single transactions, moving assets out in small portions. Not until the escrow account ran dry did any monitoring tool detect anything unusual.
How $4.67M Moved: Ethereum, 30 Wallets, Three Exchanges
After leaving escrow, the stolen assets were bridged through Axelar and converted to ETH on Ethereum. This is a standard first step. Moving into the most liquid asset on the most active chain means individual transfers are harder to trace amid high volumes.
The attacker then split the funds across roughly 30 wallets before depositing them at KuCoin, ChangeNow, and HitBTC. ChangeNow and HitBTC are known among security researchers for lighter verification requirements, making them frequent destinations for laundering stolen crypto. Fragmenting the haul across dozens of wallets also complicates any asset freeze request to the exchanges.
Axelar: "Neither We Nor IBC Were Compromised"
Axelar published a statement addressing what the team called "some confusion" around the incident. The company said the vulnerable contract was not developed, deployed, or maintained by Axelar. The IBC protocol was not affected. The firewalling mechanism stopped the damage from reaching other connected networks.
Despite the official statement, both tokens trade near prolonged lows. SCRT sits at $0.058, down 99% from its 2021 peak. AXL trades at $0.045, off 98% from its 2024 high. Both have been in prolonged decline for some time, and the June exploit gives neither much reason for a meaningful recovery.
The question of who bears responsibility remains open. If the vulnerable contract was not deployed by Axelar, the audit obligation and liability most likely fall on Secret Network's developers or the team that built the integration. Neither party has offered concrete answers yet.
June 2026: A Record Month for Bridge Exploits
DeFiLlama data counts at least 22 crypto protocol exploits in June 2026. The largest were Humanity Protocol ($32M) and Syscoin Bridge ($8M). Secret Network's $4.67M loss ranks third for the month. Three additional bridge exploits were recorded in the past two weeks: Taiko ($1.7M), Aztec ($2.1M), and several smaller incidents.
Most June attacks share one failure point. Verification gaps during cross-chain asset transfers let attackers exploit the security model mismatch between two networks. One weak contract in one chain opens a door to real assets in another.
In Secret Network's case, the missing source check before minting was an a mistake at the audit level that a code review should have caught before deployment. Until the industry treats independent audits for all interchain mechanisms as mandatory, similar incidents will follow.
Comments
Your email address will not be published. Required fields are marked *