Verify a decision

{"actor":"system:backfill","investigation_id":"bde30030-ae78-4670-a381-883d97728617","kind":"publish","page_slug":"secret-network-axelar-bridge-exploit-june-2026","published_at":"2026-06-30T17:09:41.067Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Secret Network / Axelar Bridge Exploit June 2026","sections":[{"content":"On June 10, 2026, an attacker drained approximately $4.67 million in bridged assets from the Axelar-to-Secret Network IBC bridge. The attacker exploited an infinite-mint vulnerability in a customized CW20-ICS20 smart contract (contract address: secret1yxjmepvyl2c25vnt53cr2dpn8amknwausxee83) deployed on Secret Network's secret-4 chain, which managed so-called 'saTokens' — privacy-preserving wrapped versions of Axelar-bridged assets. Seven asset classes were affected: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. Axelar's emergency committee disabled the Secret and Secret-SNIP IBC connections upon discovery. Axelar stated that its core protocol and all other IBC connections were unaffected. The exploit ranks as the third-largest crypto theft reported that month, behind Humanity Protocol at $32 million and the Syscoin Bridge at $8 million.","heading":"Exploit Overview","severity":"critical","sources":[{"credibility":2,"name":"Secret Network's Axelar bridge drained for $4.67 million in infinite-mint exploit that went unnoticed for seven days","type":"news_article","url":"https://www.theblock.co/post/405459/secret-networks-axelar-bridge-drained-for-4-67-million-in-infinite-mint-exploit-that-went-unnoticed-for-seven-days"},{"credibility":2,"name":"4.67M Exploit Hits Axelar Secret Network Bridge Links Disabled","type":"news_article","url":"https://www.cryptotimes.io/2026/06/19/4-67m-exploit-hits-axelar-secret-network-bridge-links-disabled/"},{"credibility":2,"name":"Secret Network Bridge Exploited for $4.7M with Infinite Mint Bug (CoinTelegraph via TradingView)","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"}]},{"content":"The vulnerable contract (Code ID 2446) was a fork of the standard ICS-20 token transfer specification, customized to issue privacy-preserving saTokens on Secret Network. According to a postmortem published by blockchain security firm Common Prefix, developers had commented out two essential security checks in the contract's do_ibc_packet_receive function: (1) parse_voucher_denom(), which would have validated denomination channel traces against actual packet sources, ensuring tokens carried the /port/channel prefix identifying the legitimate Axelar channel; and (2) reduce_channel_balance(), which would have capped token releases to the amount genuinely escrowed per channel. Without these checks, the contract accepted bare token denominations from any IBC channel as long as the token name appeared in its allow-list, making an attacker-controlled channel indistinguishable from Axelar's legitimate one. The root cause is attributed to the contract's original deployment in early 2023. Importantly, no external security audit was requested either at initial deployment or at the time of the March 2026 migration, according to reporting from CryptoTimes and yellow.com.","heading":"Technical Root Cause","severity":"critical","sources":[{"credibility":2,"name":"How a Custom Code Flaw Cost Secret Network $4.67 Million","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"credibility":2,"name":"Secret Network's $4.67M Bridge Heist Started With One Missing Check","type":"news_article","url":"https://yellow.com/news/secret-network-bridge-missing-check"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67 Million After Vulnerability Goes Undetected for a Week","type":"news_article","url":"https://www.cryptowisser.com/news/secret-network-bridge-exploit-drains-4-67m-usd-after-vulnerability-goes-undetected-for-a-week"}]},{"content":"The attacker executed the exploit in four documented steps. First, they created a single-validator Cosmos-based blockchain under their control. Second, they opened a new IBC channel directly to the vulnerable Secret Network bridge contract. Third, they self-relayed forged IBC transfer packets carrying bare token denominations matching the contract's allow-list (e.g., 'uusdc', 'uusdt') without the required /port/channel prefix. Fourth, because the contract accepted these forged packets as valid deposits, it minted genuine, redeemable saTokens against no real collateral. The attacker then redeemed the minted saTokens over the legitimate Axelar IBC channel, withdrawing real assets from the Axelar escrow account. After draining approximately $4.67 million, the attacker routed proceeds through Osmosis and then bridged them to Ethereum, where most assets were swapped for ETH via CoW Protocol. The stolen funds were subsequently split across approximately 30 wallets and deposited at the exchanges KuCoin, ChangeNow, and HitBTC. Approximately $770,000 remained in the attacker's Axelar wallet at time of initial reporting, with roughly $672,000 still untouched at the time of subsequent coverage.","heading":"Attack Methodology","severity":"critical","sources":[{"credibility":2,"name":"How a Custom Code Flaw Cost Secret Network $4.67 Million","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67M From Axelar Link","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/06/20/secret-network-bridge-exploit-drains-4-67m-from-axelar-link/"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67 Million After Vulnerability Goes Undetected for a Week","type":"news_article","url":"https://www.cryptowisser.com/news/secret-network-bridge-exploit-drains-4-67m-usd-after-vulnerability-goes-undetected-for-a-week"}]},{"content":"The exploit remained undetected for seven days — from June 10 to June 17, 2026. The core detection failure is attributed to Secret Network's privacy-by-default architecture: the network encrypts account balances and transaction data by default, meaning the missing collateral in the Axelar escrow account was not visible on-chain through normal monitoring tools. The shortfall was only revealed on June 17 when a legitimate user attempted a cross-chain transfer that failed due to insufficient escrow reserves. Investigators then traced the error back to seven withdrawals executed on June 10. Multiple outlets noted that the same privacy feature that defines Secret Network's value proposition — encrypted on-chain state — functioned as a detection blindspot in this incident, preventing the kind of real-time balance anomaly detection that would flag a drain on a transparent chain. The SCRT token dropped approximately 28.5% in June following disclosure. Community commentary was mixed, with some members arguing the incident challenged Secret's core value proposition while others maintained that privacy-preserving computation remains strategically defensible.","heading":"Seven-Day Detection Failure and the Privacy Paradox","severity":"high","sources":[{"credibility":2,"name":"4.67M Exploit Hits Axelar Secret Network Bridge Links Disabled","type":"news_article","url":"https://www.cryptotimes.io/2026/06/19/4-67m-exploit-hits-axelar-secret-network-bridge-links-disabled/"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67 Million After Vulnerability Goes Undetected for a Week","type":"news_article","url":"https://www.cryptowisser.com/news/secret-network-bridge-exploit-drains-4-67m-usd-after-vulnerability-goes-undetected-for-a-week"},{"credibility":2,"name":"Secret Network Bridge Exploited for $4.7M with Infinite Mint Bug (CoinTelegraph via TradingView)","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"}]},{"content":"The vulnerable CW20-ICS20 contract was originally deployed on Secret Network in early 2023. According to the Common Prefix postmortem, the missing source-validation logic was present from initial deployment. On March 5, 2026, the contract underwent a migration to Code ID 2446, ostensibly to add new functionality. The migration preserved the vulnerable code unchanged. Crucially, neither the original deployment nor the March 2026 migration triggered a new external security audit. Axelar confirmed in its public statement that 'the altered version changed the contract's trust assumptions but did not undergo a new security audit' and that the exploited contract 'was not developed, deployed, or maintained by Axelar.' The absence of audit coverage across a multi-year lifespan and a significant migration event is considered a primary contributing factor to the exploit going undetected.","heading":"Contract Migration History and Audit Absence","severity":"high","sources":[{"credibility":2,"name":"How a Custom Code Flaw Cost Secret Network $4.67 Million","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"credibility":2,"name":"Axelar Clarifies $4.67M Secret Network Bridge Exploit Origin","type":"news_article","url":"https://www.kucoin.com/news/flash/axelar-clarifies-4-67m-secret-network-bridge-exploit-origin"},{"credibility":2,"name":"Secret Network's $4.67M Bridge Heist Started With One Missing Check","type":"news_article","url":"https://yellow.com/news/secret-network-bridge-missing-check"}]},{"content":"Upon discovery on June 17, 2026, Axelar's emergency committee acted within hours to disable the Secret and Secret-SNIP IBC connections (channels 60/61 connecting to axelar-dojo-1). Squid, a cross-chain router built on Axelar, also removed Secret Network from its interface. Axelar stated: 'This incident is isolated to assets on Secret that were bridged over IBC from Axelar. No other Axelar integrations or IBC connections appear to be impacted.' Axelar further clarified that 'neither Axelar nor IBC was compromised' and that 'the exploited token smart contract was not developed, deployed, or maintained by Axelar.' A full post-mortem was described as in progress at the time of initial disclosure with no publication timeline given. Axelar coordinated with exchanges and law enforcement to trace stolen funds. Secret Network advised holders of affected saXXX tokens that 'their backing was affected, and your funds may be lost.' No compensation plan or timeline for bridge restoration had been announced as of the time of reporting.","heading":"Incident Response and Responsibility Dispute","severity":"high","sources":[{"credibility":2,"name":"4.67M Exploit Hits Axelar Secret Network Bridge Links Disabled","type":"news_article","url":"https://www.cryptotimes.io/2026/06/19/4-67m-exploit-hits-axelar-secret-network-bridge-links-disabled/"},{"credibility":2,"name":"Axelar Clarifies $4.67M Secret Network Bridge Exploit Origin","type":"news_article","url":"https://www.kucoin.com/news/flash/axelar-clarifies-4-67m-secret-network-bridge-exploit-origin"},{"credibility":2,"name":"Secret Network Bridge Exploited for $4.7M with Infinite Mint Bug (CoinTelegraph via TradingView)","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"}]},{"content":"Users who held saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, or sawstETH tokens on Secret Network at the time of the exploit were directly exposed to losses, as the backing collateral for those tokens was drained from Axelar's escrow. Secret Network's official communication acknowledged that affected saXXX token holders' funds 'may be lost.' No reimbursement mechanism or compensation fund had been announced as of late June 2026. Approximately $770,000 in stolen funds remained in the attacker's primary Axelar wallet at the time of initial reporting; Secret Network petitioned Axelar to freeze those assets. The native SCRT token itself was not technically affected by the exploit, though its market price dropped approximately 28.5% in June 2026 following disclosure. AXL, Axelar's native token, was trading at approximately $0.045 at the time of coverage — down approximately 98% from its 2024 peak.","heading":"User Fund Impact","severity":"high","sources":[{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67 Million After Vulnerability Goes Undetected for a Week","type":"news_article","url":"https://www.cryptowisser.com/news/secret-network-bridge-exploit-drains-4-67m-usd-after-vulnerability-goes-undetected-for-a-week"},{"credibility":2,"name":"Secret Network Bridge Exploited for $4.7M with Infinite Mint Bug (CoinTelegraph via TradingView)","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67M From Axelar Link","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/06/20/secret-network-bridge-exploit-drains-4-67m-from-axelar-link/"}]},{"content":"The Secret Network–Axelar bridge exploit occurred within a pattern of cross-chain bridge losses in 2026. Reporting from BanklessTimes cited cumulative bridge exploit losses of over $340 million in 2026 alone at the time of this incident, with comparable events including the Resolv bridge ($25 million), Verus ($11 million), and IoTeX ($4 million). The Secret Network incident illustrates a recurring vulnerability class in ICS-20 bridge implementations: customized forks that alter trust assumptions without corresponding audit coverage. The combination of an unaudited custom contract, a code migration that preserved a latent flaw, and an on-chain privacy model that obscured real-time anomaly detection distinguishes this incident as a compounding operational risk case rather than a simple code error.","heading":"Broader Bridge Security Context","severity":"medium","sources":[{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67M From Axelar Link","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/06/20/secret-network-bridge-exploit-drains-4-67m-from-axelar-link/"},{"credibility":2,"name":"Secret Network Bridge Exploited for $4.7M with Infinite Mint Bug (CoinTelegraph via TradingView)","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"}]}],"sources_used":[{"credibility":2,"name":"Secret Network's Axelar bridge drained for $4.67 million in infinite-mint exploit that went unnoticed for seven days","type":"news_article","url":"https://www.theblock.co/post/405459/secret-networks-axelar-bridge-drained-for-4-67-million-in-infinite-mint-exploit-that-went-unnoticed-for-seven-days"},{"credibility":2,"name":"4.67M Exploit Hits Axelar Secret Network Bridge Links Disabled","type":"news_article","url":"https://www.cryptotimes.io/2026/06/19/4-67m-exploit-hits-axelar-secret-network-bridge-links-disabled/"},{"credibility":2,"name":"How a Custom Code Flaw Cost Secret Network $4.67 Million","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67 Million After Vulnerability Goes Undetected for a Week","type":"news_article","url":"https://www.cryptowisser.com/news/secret-network-bridge-exploit-drains-4-67m-usd-after-vulnerability-goes-undetected-for-a-week"},{"credibility":2,"name":"Secret Network Bridge Exploited for $4.7M with Infinite Mint Bug (CoinTelegraph via TradingView)","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"},{"credibility":2,"name":"Axelar Clarifies $4.67M Secret Network Bridge Exploit Origin","type":"news_article","url":"https://www.kucoin.com/news/flash/axelar-clarifies-4-67m-secret-network-bridge-exploit-origin"},{"credibility":2,"name":"Secret Network's $4.67M Bridge Heist Started With One Missing Check","type":"news_article","url":"https://yellow.com/news/secret-network-bridge-missing-check"},{"credibility":2,"name":"Secret Network Bridge Exploit Drains $4.67M From Axelar Link","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/06/20/secret-network-bridge-exploit-drains-4-67m-from-axelar-link/"},{"credibility":2,"name":"Secret Network Suffers $4.67M Loss in Bridge Exploit","type":"news_article","url":"https://coinlaw.io/secret-network-4-67m-bridge-exploit/"},{"credibility":2,"name":"Axelar-bridged tokens worth $4.67 million drained in Secret Network contract exploit","type":"news_article","url":"https://www.cryptopolitan.com/axelar-bridged-tokens-worth-4-67-million-drained-in-secret-network-contract-exploit/"},{"credibility":2,"name":"Secret Network Bridge Loses $4.7M to Infinite Mint Flaw","type":"news_article","url":"https://www.cryptobreaking.com/secret-network-bridge-loses-4/"},{"credibility":2,"name":"Axelar shuts down Secret Network bridge routes after $4.7M exploit","type":"news_article","url":"https://crypto.news/axelar-shuts-down-secret-network-bridge-routes-after-4-7m-exploit/"}],"summary":"On June 10, 2026, an attacker exploited a missing channel-origin validation in a customized CW20-ICS20 smart contract on Secret Network to mint approximately $4.67 million in unbacked Axelar-wrapped tokens (saTokens) and redeem them for real escrowed assets. The exploit went undetected for seven days due in part to Secret Network's privacy-by-default architecture, which encrypts account balances and masked the missing collateral until a failed cross-chain transfer on June 17 exposed the shortfall. Blockchain security firm Common Prefix traced the vulnerability to the contract's initial deployment in early 2023; a March 5, 2026 contract migration added new functionality but carried the unpatched validation flaw forward without a new security audit.","timeline":[{"date":"2023-03-01","event":"Vulnerable CW20-ICS20 bridge contract originally deployed on Secret Network without the parse_voucher_denom() and reduce_channel_balance() validation checks. No external security audit was requested.","source":"Common Prefix postmortem (via CryptoTimes and yellow.com)","source_url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"date":"2026-03-05","event":"Contract migrated to Code ID 2446 to add new functionality. The migration preserved the missing source-validation checks without remediation and without triggering a new security audit.","source":"CryptoTimes / Common Prefix postmortem","source_url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"date":"2026-06-10","event":"Attacker creates a single-validator Cosmos chain, opens an unauthorized IBC channel to the vulnerable bridge contract, self-relays forged packets, and mints approximately $4.67 million in unbacked saTokens across seven asset classes before redeeming them for real escrowed assets.","source":"CryptoTimes, The Block, CryptoWisser","source_url":"https://www.cryptotimes.io/2026/06/19/4-67m-exploit-hits-axelar-secret-network-bridge-links-disabled/"},{"date":"2026-06-17","event":"A legitimate cross-chain transfer from a normal user fails due to insufficient escrow reserves, exposing the shortfall. Investigators trace the deficit to the seven withdrawals executed on June 10. Secret Network's encrypted balances had masked the missing collateral for seven days.","source":"CryptoWisser, CryptoTimes, BanklessTimes","source_url":"https://www.cryptowisser.com/news/secret-network-bridge-exploit-drains-4-67m-usd-after-vulnerability-goes-undetected-for-a-week"},{"date":"2026-06-19","event":"Axelar's emergency committee disables the Secret and Secret-SNIP IBC connections (channels 60/61). Squid router removes Secret Network from its interface. Axelar and Secret Network make initial public disclosures.","source":"CryptoTimes, KuCoin, The Block","source_url":"https://www.cryptotimes.io/2026/06/19/4-67m-exploit-hits-axelar-secret-network-bridge-links-disabled/"},{"date":"2026-06-20","event":"CryptoTimes publishes technical post-mortem detailing the two missing validation functions, the March 2026 migration history, and the attacker's methodology. Yellow.com and BanklessTimes publish additional analysis attributing the postmortem to blockchain security firm Common Prefix.","source":"CryptoTimes, yellow.com, BanklessTimes","source_url":"https://www.cryptotimes.io/2026/06/20/how-a-custom-code-flaw-cost-secret-network-4-67-million/"},{"date":"2026-06-22","event":"Cointelegraph and additional outlets publish coverage. SCRT reported down approximately 28.5% for the month. Axelar formally clarifies that its core protocol was not breached and that the exploited contract was not its responsibility. No compensation plan or bridge restoration timeline announced.","source":"CoinTelegraph via TradingView, KuCoin, CryptoWisser","source_url":"https://www.tradingview.com/news/cointelegraph:e52a8055f094b:0-secret-network-bridge-exploited-for-4-7m-with-infinite-mint-bug/"}]},"v":1}