A cross-chain bridge connecting Secret Network to Axelar was hit by an infinite-mint vulnerability, draining roughly $4.67 million in assets. The exploit started around June 20, 2026, and went unnoticed for seven days before teams deployed a patch. Both projects are now investigating whether any of the stolen funds can be recovered.
How the infinite-mint flaw worked
The attacker abused a bug that let them mint unlimited representation tokens on the destination chain. Those tokens were then swapped or sold, draining value from the real assets locked on the source chain. Such vulnerabilities are a known risk in cross-chain bridge design, where one chain must trust the other’s reported state.
In this case the flaw sat dormant in the contract code. No one spotted it during the week it was being actively exploited. The teams only moved to shut it down after the damage had already piled up.
The seven-day detection gap
Why did the exploit run for a full week? The facts don’t say. But the delay highlights a broader problem: bridge monitoring is often reactive rather than proactive. By the time unusual transaction patterns triggered alerts, millions had already moved.
Secret Network and Axelar have not disclosed whether automated monitoring was in place or whether the anomaly was caught by a manual review of logs. Either way, the gap gave the attacker plenty of time to launder the proceeds through multiple chains.
Recovery efforts and next steps
The vulnerability has been patched, and both teams say they are “investigating asset recovery.” That likely means tracing the stolen tokens across blockchains and contacting exchanges where they might land. But recoveries are rare in these cases — most cross-chain exploit funds never come back.
No arrests have been announced, and the attacker’s identity remains unknown. The teams have not offered a bounty for the return of funds, at least not publicly.
Broader concerns for cross-chain security
This incident is the latest in a long string of bridge hacks. The technology relies on validators or relayers to verify transactions between chains, and a single bug in the smart contract can undo all that trust. Auditors regularly review bridge code, but this exploit slipped through.
The $4.67 million figure is modest compared to past billion-dollar bridge attacks, but it’s still real money lost by users who trusted the system. The teams have not said whether affected users will be compensated.
The question hanging over this episode is straightforward: how do you catch a vulnerability that stays hidden for seven days? Better real-time monitoring and faster incident response are obvious fixes, but they cost money and development time. For now, the patch is in place, and the investigation continues.
