Secret Network Suffers $4.7M Exploit via Infinite Mint Bug

A vulnerability in the Secret Network's bridge allowed an attacker to exploit an 'infinite mint' bug, resulting in a $4.67 million loss on June 10. The issue was not discovered until June 17, when a failed cross-chain transaction caused by insufficient funds in the drained account was detected.

The attacker used the vulnerability to create unbacked, wrapped versions of Axelar-wrapped assets, such as saUSDT and saWBTC. These fake assets were then redeemed back over legitimate channels, draining the real assets held in escrow. The smart contract did not verify the source of the inbound transfer before minting, allowing the attacker to forge deposits and create genuine tokens with no backing.

The Secret Network has warned holders of Axelar-bridged saXXX tokens that their funds may be lost due to the exploit. The stolen assets were moved to the Ethereum blockchain, converted to Ether (ETH), and split between multiple wallets before being deposited into exchanges like KuCoin and ChangeNow.