A security breach involving the bridge connection between Secret Network and Axelar has resulted in the loss of roughly $4.67 million in crypto assets. According to findings from Axelar and independent security researchers, attackers exploited a flaw that remained unnoticed for nearly a week before security teams detected the issue.
Exploit Targeted Secret Network Bridge Contract
Early investigations show that the attack did not affect Axelar’s core interoperability protocol. Instead, hackers targeted a token transfer contract operating on Secret Network.
Researchers from Common Prefix reported that the vulnerability existed in a modified CW20-ICS20 token contract. The flaw allegedly failed to verify the origin IBC channel of incoming token transfers. As a result, attackers could mint unlimited amounts of wrapped assets and then withdraw legitimate value through the bridge.
The affected assets were transferred between Axelar and Secret Network using the Cosmos Inter-Blockchain Communication (IBC) framework.
Attackers Allegedly Created Fake Assets
Security analysts believe the attacker set up a custom Cosmos-based blockchain with a single validator. By manipulating IBC packet flows, the individual reportedly generated unauthorized Secret-wrapped Axelar tokens.
Secret Network’s privacy-focused design may have contributed to the delayed discovery. Since transaction details are encrypted, traditional blockchain monitoring tools had difficulty identifying suspicious activity.
Key findings from the investigation include:
- Approximately $4.67 million in assets were stolen.
- The exploit remained active for around seven days.
- Axelar’s core protocol and validator network were not compromised.
- Emergency measures were implemented after detection.
Axelar Responds and Launches Investigation
After discovering the exploit, Axelar’s emergency committee quickly disabled the Secret and Secret-SNIP bridge connections. The company also contacted exchanges and law enforcement agencies as part of ongoing recovery efforts.
The incident adds to the growing list of cross-chain bridge security failures in decentralized finance. Although the losses are smaller than major bridge hacks such as Wormhole and Ronin, the event highlights the risks associated with third-party smart contracts and bridge integrations.
