TechFlow News: On June 20, Axelar’s official account announced the discovery of a security incident affecting assets bridged from the Axelar chain to Secret Network via IBC, resulting in the theft of approximately $4.67 million worth of tokens. According to current information, the issue is confined to the Secret-side ICS-20 smart contract within the Cosmos IBC connection between Secret and Axelar—this contract is used to bridge assets from Axelar to Secret.
Axelar stated that its emergency response committee immediately disabled both the Secret and Secret-SNIP connections upon discovering the incident. The team is coordinating with relevant exchanges and law enforcement agencies. This incident affects only assets bridged from Axelar to Secret via IBC; all other IBC connections, Secret tokens, other Axelar integrations, and the Axelar core protocol remain unaffected.
According to Common Prefix’s analysis of the incident, an attacker exploited an infinite minting vulnerability in a modified CW20-ICS20 token contract deployed on Secret to steal approximately $4.67 million. Specifically, the attacker launched a new Cosmos chain with only a single validator and self-relayed IBC packets to Secret, enabling arbitrary minting of Secret-wrapped Axelar assets on Secret. The vulnerable contract failed to verify the source IBC channel of inbound tokens. The attacker ultimately exited via the Axelar bridge; the Axelar protocol itself remained uncompromised and successfully prevented the risk from propagating to other chains.
