Secret Network / Axelar Bridge Exploit June 2026

2023-03-01

Vulnerable CW20-ICS20 bridge contract originally deployed on Secret Network without the parse_voucher_denom() and reduce_channel_balance() validation checks. No external security audit was requested.

2026-03-05

Contract migrated to Code ID 2446 to add new functionality. The migration preserved the missing source-validation checks without remediation and without triggering a new security audit.

2026-06-10

Attacker creates a single-validator Cosmos chain, opens an unauthorized IBC channel to the vulnerable bridge contract, self-relays forged packets, and mints approximately $4.67 million in unbacked saTokens across seven asset classes before redeeming them for real escrowed assets.

2026-06-17

A legitimate cross-chain transfer from a normal user fails due to insufficient escrow reserves, exposing the shortfall. Investigators trace the deficit to the seven withdrawals executed on June 10. Secret Network's encrypted balances had masked the missing collateral for seven days.

2026-06-19

Axelar's emergency committee disables the Secret and Secret-SNIP IBC connections (channels 60/61). Squid router removes Secret Network from its interface. Axelar and Secret Network make initial public disclosures.

2026-06-20

CryptoTimes publishes technical post-mortem detailing the two missing validation functions, the March 2026 migration history, and the attacker's methodology. Yellow.com and BanklessTimes publish additional analysis attributing the postmortem to blockchain security firm Common Prefix.

2026-06-22

Cointelegraph and additional outlets publish coverage. SCRT reported down approximately 28.5% for the month. Axelar formally clarifies that its core protocol was not breached and that the exploited contract was not its responsibility. No compensation plan or bridge restoration timeline announced.