Secret Network's bridge was hit by an exploit that drained $4.7 million worth of crypto through an 'infinite mint' bug. The hack went unnoticed for a full week, and the attacker has already moved the stolen assets into Ethereum and then to exchanges.
How the exploit worked
The vulnerability allowed the hacker to mint an unlimited amount of tokens from the bridge. It's a classic 'infinite mint' attack — the kind that targets the smart contract logic rather than any user's private key. Once the bug was triggered, the attacker could generate tokens out of thin air and then swap them for real assets.
The $4.7 million figure represents the total value extracted before the issue was spotted. The bridge connects Secret Network to other blockchains, and the exploit appears to have targeted that connection point.
A week of silence
The most striking detail? No one noticed for seven days. Whether that's because the attacker kept the minting small and slow, or because monitoring wasn't tight enough, the facts don't say. What's clear is that the window to freeze or recover funds was long gone by the time the breach became public.
For a bridge handling millions in value, a week-long blind spot isn't just bad luck — it's a systemic gap. The timing isn't great either, given the industry's ongoing scrutiny of cross-chain bridges after several high-profile hacks in previous years.
Funds moved to Ethereum
After the minting spree, the hacker bridged the stolen tokens over to Ethereum. From there, they moved the funds onto exchanges. The facts don't name which exchanges, but that's a typical play — turn dirty crypto into fiat or stablecoins as fast as possible.
Exchanges can technically freeze deposits if they know the source address. Whether that happened here is unknown. No exchange has publicly confirmed blocking the funds.
What comes next
Secret Network hasn't issued a formal post-mortem yet. The exploit's root cause — that infinite mint bug — is presumably being patched. But the funds are already out of the bridge and onto Ethereum, where tracing gets harder once they hit a mixer or a private wallet.
The big unanswered question: did any of the exchanges where the hacker deposited hold the funds long enough for law enforcement to act? Without a confirmed freeze, the $4.7 million is likely gone for good.
