Skip to main content

Secret Network Bridge Loses $4.7M to ‘Infinite Mint’ Flaw



An attacker exploited an “infinite mint” vulnerability in a smart contract on the Secret Network, creating wrapped Axelar assets without proper backing. The incident resulted in a reported $4.67 million loss, according to blockchain research firm Common Prefix.



The breach occurred on June 10 but was identified a week later, on June 17, after a failed cross-chain transaction triggered an “insufficient funds” error tied to the drained account, Common Prefix said in a report released Friday. The funds were then routed to Ethereum and distributed across multiple wallets before being moved to exchanges, the firm added.



Key takeaways



  • Common Prefix attributes the $4.67 million exploit to an infinite-mint flaw in a Secret Network contract that minted unbacked Axelar-wrapped tokens.

  • The issue was traced to missing verification of the source of inbound transfers before minting, allowing forged deposits on an attacker-controlled channel.

  • Wrapped assets affected included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH.

  • Secret Network said holders of Axelar-bridged saXXX tokens may face loss, while both Secret and Axelar emphasized that Secret’s token SCRT and Axelar’s infrastructure were not directly compromised.



How the exploit worked on Secret’s Axelar bridge


Secret Network is a privacy-focused layer-1 blockchain built on the Cosmos ecosystem. Axelar, meanwhile, is designed to enable interoperability between different blockchain networks. The exploit targeted a smart contract handling Axelar-wrapped assets on Secret, where wrapped “saTokens” are expected to represent collateral held in escrow.



Common Prefix reported that the contract failed to verify the provenance of inbound transfers before minting. As a result, the attacker could “forge” deposits over an attacker-controlled channel, triggering the minting of “genuine saTokens with no assets backing them,” the firm said.



After minting, the attacker redeemed the Axelar-wrapped assets back through legitimate channels. Common Prefix said the redemption drained the real Axelar-wrapped assets held in escrow, converting the unbacked representations into backed value.



Timeline and discovery: from June 10 to June 17


While the exploit itself took place on June 10, the crucial indicator of trouble appeared later. Common Prefix said the breach was discovered on June 17 after a cross-chain transaction failed due to an “insufficient funds” error connected to the account that had been drained.



This delay matters for users because it highlights how bridge or escrow-related systems can continue operating normally—or at least not immediately signal obvious failures—until specific downstream actions surface the shortfall. In practice, that can mean the window between minting and detection may be long enough for assets to be redistributed before investigators fully connect the dots.



Where the stolen funds went


Common Prefix reported that after exploiting the wrapped tokens, the attacker moved the assets to the Ethereum blockchain and converted them to Ether (ETH). The firm also said the attacker split the proceeds among roughly 30 wallets.



Those wallets were then used to move funds into exchanges, including KuCoin, ChangeNow, and HitBTC, according to the report. The multi-wallet approach is a common tactic in laundering activity, aimed at complicating tracing by breaking up transaction flows and distribution patterns.



Which tokens were affected—and what Secret said to users


The affected Axelar-wrapped assets minted without backing included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH. Common Prefix emphasized that the backing of these tokens was compromised, meaning token holders may not be able to redeem them for their intended collateral.



On Saturday, Secret Network issued a security notice stating that holders of Axelar-bridged saXXX tokens on Secret should expect their backing to be affected and that their funds “may be lost.”



Secret’s own native token, Secret (SCRT), was not reported as impacted by the incident. However, the notice underscores that this was not a general compromise of the network itself, but a targeted weakness in the minting path for specific bridged assets.



Axelar’s response: not compromised, firewall contained impact


Axelar acknowledged the incident on Saturday after “some confusion” emerged around the breach. In its statement, Axelar said neither Axelar nor IBC (Inter-Blockchain Communication) was compromised.



Axelar added that the exploited token smart contract “was not developed, deployed, or maintained by Axelar,” and that Axelar’s firewalling prevented the impact from spreading to other chains.



For investors and builders, the distinction is significant: it narrows the likely source of failure to the contract logic on the Secret side rather than Axelar’s core interoperability infrastructure. Even so, cross-chain systems remain tightly coupled through assumptions about escrow, message integrity, and minting verification—exactly where this exploit appears to have broken those assumptions.



Part of a wider wave of protocol attacks


This breach arrives amid a broader pattern of cross-chain and protocol exploitation. Common Prefix noted it is among a series of hacks and exploits occurring this month, with at least 22 incidents reported by DeFiLlama’s ongoing hack tracking.



Within that same recent period, other reported bridge-related losses included Humanity Protocol and Syscoin Bridge, which earlier this month suffered reported losses of $32 million and $8 million respectively, according to coverage referenced in Common Prefix’s context.



While each event has its own root cause, the recurring theme is similar: many of the highest-value failures occur where bridging logic meets asset accounting—especially when systems mint representations based on messages or deposits that are not strongly authenticated end-to-end.



Going forward, users holding affected saTokens should watch for further announcements from Secret and for any guidance on whether and how remaining balances can be redeemed. The key open question is how quickly and completely the affected minting pathway can be audited and patched—because in cross-chain ecosystems, even small verification gaps can translate into real, backed-value drains once an attacker finds a redemption route.



https://www.cryptobreaking.com/secret-network-bridge-loses-4/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Secret%20Network%20Bridge%20Loses%20$4.7M%20to%20‘Infinite%20Mint’%20Flaw%20
Labels:

Comments

Post a Comment

Popular posts from this blog

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...
Post a Comment
Read more

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...
Post a Comment
Read more

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...
Post a Comment
Read more