Secret Network Bridge Hit for $4.67M in 'Infinite Mint' Bug Exploit

An attacker exploited an 'infinite mint' bug in a vulnerable smart contract on the Secret Network, resulting in a $4.67 million loss.

The exploit occurred on June 10 but was not discovered until June 17, when a failed cross-chain transaction caused by an 'insufficient funds' error in the drained account was detected.

The attacker redeemed Axelar-wrapped assets (saTokens) back over legitimate channels to drain the real Axelar-wrapped assets held in escrow. The smart contract did not verify the source of the inbound transfer before minting, allowing deposits forged over an attacker-controlled channel to mint genuine saTokens with no backing.

The Secret Network is a privacy-focused, layer-1 blockchain built on the Cosmos ecosystem, and Axelar is a decentralized interoperability network that connects different blockchain ecosystems. The affected assets included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH.

The attacker moved the exploited assets to the Ethereum blockchain and converted them to Ether (ETH). They then split the haul between around 30 wallets, eventually depositing the funds into exchanges including KuCoin, ChangeNow, and HitBTC.