The bridge linking Secret Network and Axelar was taken offline June 19 after an attacker siphoned $4.67 million in a vulnerability that let them mint unbacked wrapped assets. The exploit itself happened June 10, but it took a week for the team to spot it. The bridge shutdown is a containment move — the bigger questions around losses, recovery, and trust for liquidity providers and users are still open.
How the infinite-mint worked
The attacker didn't break into the bridge the usual way. They sent forged Inter-Blockchain Communication (IBC) packets from a private Cosmos chain to Secret Network. The problem was in a modified CW20-ICS20 contract that didn't check the source channel of incoming IBC messages. So the attacker could mint unlimited amounts of wrapped assets like saUSDT and saUSDC — tokens that don't have real backing on Secret Network.
After minting the fake supply, the attacker turned around and redeemed those unbacked tokens against real assets held in escrow on the Axelar side. That moved value from legitimate liquidity into the attacker's pocket. The result: a $4.67 million hole that wasn't noticed for a week.
Containment and what comes next
Suspending the bridge was the immediate fix. It stops further drain while the team figures out next steps. But that leaves liquidity providers and users in the dark about whether they'll recover anything. The infrastructure partners involved — Secret Network, Axelar, and any protocols relying on the bridge — all have to decide how to handle the losses and whether to restart the bridge with added safeguards.
The incident also raises trust issues. Cross-chain bridges have become prime targets, and this one's design flaw — failing to validate the source channel — is a basic but costly oversight.
Lessons for cross-chain security
This exploit underscores three things that bridges need to get right. First, strict channel validation: every incoming IBC packet must be verified against its claimed source. Second, external monitoring: a week-long gap between exploit and discovery is too long for a system holding millions. Third, rapid circuit breakers: the ability to pause the bridge automatically when anomalous minting patterns appear, rather than relying on manual detection.
The $4.67 million figure is the known loss, but the full cost could grow depending on recovery efforts and legal steps. No timeline has been given for when the bridge might reopen, or whether it will be restarted at all without a complete audit of the contract code.
