Secret Network's Axelar Bridge Drained $4.67M in Infinite-Mint Exploit

An attacker exploited a years-old vulnerability in Secret Network's cross-chain bridge to Axelar, draining $4.67 million in wrapped tokens over seven days before discovery. The flaw, an infinite-mint bug in a CW20-ICS20 contract, went undetected from June 10 to June 17, allowing the attacker to drain seven different Axelar-wrapped assets. Secret Network suspended the bridge connection immediately following discovery.

The vulnerability represents a critical failure in contract security review and monitoring. CW20-ICS20 contracts are standard implementations for cross-chain token transfers on Cosmos-based networks. The infinite-mint flaw suggests the contract lacked proper safeguards to prevent unlimited token creation. The attacker exploited this gap to generate wrapped tokens without corresponding collateral, then converted or transferred them across the bridge before the discrepancy was detected.

The timeline is particularly concerning. A vulnerability persisting for years without discovery indicates either inadequate code audits during initial deployment or failure to implement continuous security monitoring. The seven-day window between the first unauthorized transaction and detection suggests the bridge lacked real-time anomaly detection or transaction validation mechanisms that might have flagged unusual minting activity.

This incident follows a pattern of bridge exploits that have cost the ecosystem billions. The Ronin bridge hack in March 2022 drained $625 million through validator compromise. The Poly Network exploit in August 2021 stole $611 million by manipulating cross-chain message verification. The Nomad bridge drain in August 2022 cost users $190 million when an attacker discovered a missing zero-check in the contract. Each attack exposed architectural weaknesses in how bridges handle token minting, validation, and access control.

The bridge suspension creates a trade-off for legitimate users. Cross-chain liquidity on Secret Network is now reduced, and users holding wrapped assets on Axelar cannot easily move them to other chains. This may drive volume to alternative bridges, though users should carefully evaluate the security posture of those alternatives before moving significant capital.

For Secret Network and Axelar, the immediate priority is a full security audit of the affected contract and comprehensive review of other bridge implementations. Code audits should be continuous, not one-time events. Monitoring systems should flag unusual token minting patterns in real time. Contract upgrades addressing known vulnerability classes should be prioritized rather than deferred.

The $4.67 million loss is significant but could have been far worse if the exploit had gone undetected longer. The real cost is to user confidence in cross-chain infrastructure and whether bridges can be secured at the architectural level or if the risks are inherent to their design.