TheBlock
Secret Network's Axelar bridge was drained of roughly $4.67 million on June 10 after an attacker exploited a flaw in a custom CW20-ICS20 contract that mints Secret-wrapped versions of Axelar-wrapped assets — known as saTokens — without verifying which IBC channel an inbound transfer arrived on. According to a postmortem from Common Prefix, lead Axelar steward, the attacker spun up a single-validator Cosmos chain, opened an IBC channel to the contract, and self-relayed forged packets carrying denominations that matched the contract's allow-list, minting real saTokens against nothing. The drain sat undetected for seven days, surfacing only on June 17 when a normal cross-chain transfer failed because the escrow account no longer held enough to cover it.
Why it matters
The vulnerability was not new — Common Prefix traced the missing channel check to the contract's early-2023 deployment, and a March 5 migration that updated the bytecode for new features carried the same flaw forward. Secret Network's own writeup said the bridge contract was reworked from an escrow model to a mint model for the Axelar integration, and the two functions that would have validated a transfer's source were removed in that rework. Crucially, no external audit was requested by Axelar as part of the integration, and encrypted on-chain balances made the shortfall invisible in the way a drained pool on Ethereum would have been. The exploit drew an explicit parallel to the recent Zcash disclosure, where a counterfeiting vulnerability drove ZEC down more than 30%.
Market impact
Seven saTokens were drained — saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH — and the attacker routed the proceeds through Osmosis via packet-forwarding before bridging to Ethereum and mostly swapping for ether on CoW Protocol, splitting it across roughly 30 fresh wallets that landed at KuCoin, ChangeNow and HitBTC. Axelar's emergency committee disabled the Secret and Secret-SNIP connections and cross-chain router Squid delisted the network; the Axelar team said its core protocol was untouched.
Frequently asked questions
-
How did the attacker drain the Secret-Axelar bridge?
The attacker spun up a single-validator Cosmos chain, opened an IBC channel to a custom CW20-ICS20 contract on Secret, and self-relayed forged packets whose denominations matched the contract's allow-list. The contract could not distinguish those bare denominations from Axelar's real channel, so it minted real…
-
Which tokens were drained and how much was taken?
Roughly $4.67 million was taken across seven saTokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH, according to the Common Prefix postmortem.
-
Why did the exploit go unnoticed for seven days?
Secret Network balances are encrypted by default, so the missing collateral was not visible on-chain the way a drained pool would be on Ethereum. The shortfall only surfaced on June 17, when a routine cross-chain transfer failed with an error showing the escrow account no longer held enough to cover it.
-
Was the vulnerability new, and was the code audited?
Common Prefix traced the missing channel check to the contract's initial early-2023 deployment, and a March 5 migration that updated the bytecode for new features carried the same flaw forward. Secret Network's own writeup said no external audit was requested by Axelar as part of the integration.
-
What has happened to the stolen funds and to the bridge?
The attacker routed proceeds through Osmosis to Ethereum, swapped to ETH on CoW Protocol, and split the balance across roughly 30 fresh wallets landing at KuCoin, ChangeNow and HitBTC. Axelar's emergency committee disabled the Secret and Secret-SNIP connections, Squid delisted the network, and Axelar said it is…
Lookonchain
WuBlockchain
CoinTelegraph
CoinDesk