Secret Network's cross-chain bridge to Axelar was drained of $4.67 million in wrapped tokens through an infinite-mint vulnerability, the two projects disclosed on June 19. The exploit went unnoticed for seven days before the bridge was suspended.
A flaw years in the making
The attacker exploited a minting flaw that had been present in the bridge for years. By repeatedly calling a function that should have been restricted, they minted unlimited amounts of wrapped tokens, then moved them off the bridge. The theft spanned seven days before anyone noticed. No users' funds on the Secret Network itself were affected, but the wrapped tokens held in the bridge's smart contracts were lost.
The specific technical details of the vulnerability have not been fully released, but both teams confirmed it was an infinite-mint bug — a class of exploit that lets an attacker create tokens out of thin air. In this case, the minting was tied to the bridge's role as a cross-chain intermediary, where wrapped assets are pegged to underlying tokens on other networks.
Disclosure and response
Secret Network and Axelar issued simultaneous statements on June 19, nearly two weeks after the attack concluded. The bridge has been suspended, and both teams said they are investigating how the vulnerability existed undetected for so long.
Neither project has announced a timeline for reopening the bridge or recovering the stolen funds. The $4.67 million figure represents the total value of wrapped tokens lost, based on market prices at the time of the exploit.
Unanswered questions
The disclosure leaves several open questions. Who was behind the attack? Were any of the stolen funds traced to specific addresses? And how did a years-old minting flaw escape detection across multiple audits? The two networks have not said whether law enforcement has been contacted or if a bounty is being offered for information.
For now, users who relied on the bridge to move assets between Secret Network and Axelar's ecosystem are stuck. The suspension means no deposits or withdrawals can be processed until the teams patch the vulnerability and decide on a path forward.
