Secret Network Bridge Exploited for $4.7M via Infinite Mint Bug
An attacker exploited a smart contract bug to mint unbacked Axelar-wrapped assets on Secret Network, draining $4.67M. Funds were converted to ETH, split across 30 wallets, and deposited on exchanges. The network warned affected holders their funds may be lost.
Quick Take
Infinite mint bug allowed creation of unbacked wrapped tokens.
$4.67M stolen and moved to Ethereum, then split into 30 wallets.
Secret Network warned Axelar-bridged saXXX holders of potential loss.
Axelar confirmed no compromise; firewalling prevented cross-chain spread.
Market Impact Analysis
BearishNegative sentiment from exploit may pressure SCRT and AXL prices, but damage is contained and amounts relatively small.
Speculation Analysis
Key Takeaways
- An infinite mint bug let an attacker create unbacked wrapped tokens on Secret Network, causing $4.67M in losses.
- The stolen assets were swapped to ETH, split into 30 wallets, and funneled to exchanges like KuCoin and ChangeNow.
- Secret Network warned holders of affected Axelar-bridged saXXX tokens that their funds may be unrecoverable.
- Axelar confirmed its network wasn't compromised; firewalling prevented cross-chain spread.
- This marks at least the 22nd crypto exploit this month, adding to over $42M in protocol losses.
What Happened
On June 10, an attacker exploited an infinite mint bug in a Secret Network smart contract to generate unbacked Axelar-wrapped assets (saTokens). The vulnerability allowed forged deposits to mint genuine tokens without backing. The theft remained undetected for a week until a failed cross-chain transaction triggered an error. The attacker redeemed the fake saTokens through legitimate channels, draining $4.67M from the escrow. They then converted the haul to ETH, split it across roughly 30 wallets, and deposited on exchanges including KuCoin and ChangeNow. Secret Network warned affected users their funds may be lost. Axelar quickly confirmed its network was not compromised and firewalled the impact.
The Numbers
The exploit netted $4.67 million, making it one of the larger hacks in a month that has seen at least 22 crypto breaches, collectively exceeding $42M in stolen funds. SCRT, trading at $0.058, is down 99% from its 2021 all-time high, while AXL at $0.045 has dropped 98% from its 2024 peak. After the theft, funds were moved to Ethereum and split into approximately 30 wallets before being deposited to exchanges like KuCoin, ChangeNow, and HitBTC.
Why It Happened
The root cause was a smart contract that failed to verify the source of inbound transfers. This oversight let an attacker forge deposit messages over a controlled channel, minting genuine saTokens with no underlying assets. The contract lacked proper input validation, a critical flaw in cross-chain integrations. Once minted, the tokens were redeemed through the legitimate bridge mechanism, draining real escrowed funds. Insufficient auditing and weak security practices on Secret Network鈥檚 custom contracts contributed to the breach.
Broader Impact
The incident spotlights persistent risks in cross-chain bridges and wrapped assets, even as interoperability grows. Axelar鈥檚 firewalling successfully contained the damage, preventing cross-chain contagion. However, trust in Secret Network鈥檚 DeFi ecosystem may wane, and the exploit underscores the need for rigorous smart contract validation. With SCRT and AXL already near all-time lows, the negative sentiment could add selling pressure.
What to Watch Next
- Monitor whether exchanges freeze the attacker's deposits; some funds may be recoverable if identified in time.
- Watch for an official post-mortem or compensation plan from Secret Network for affected saXXX holders.
- Keep an eye on SCRT and AXL price action鈥攆urther exploit news could push them lower despite contained damage.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
漏 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
