coin-img-ETHETH-0.56%coin-img-BTCBTC+0.21%coin-img-SOLSOL+3.26%coin-img-USDCUSDC+0.03%coin-img-XRPXRP+0.20%coin-img-TRXTRX+0.55%coin-img-DOGEDOGE-0.33%coin-img-SUISUI+0.59%coin-img-ETHETH-0.56%coin-img-BTCBTC+0.21%coin-img-SOLSOL+3.26%coin-img-USDCUSDC+0.03%coin-img-XRPXRP+0.20%coin-img-TRXTRX+0.55%coin-img-DOGEDOGE-0.33%coin-img-SUISUI+0.59%coin-img-ETHETH-0.56%coin-img-BTCBTC+0.21%coin-img-SOLSOL+3.26%coin-img-USDCUSDC+0.03%coin-img-XRPXRP+0.20%coin-img-TRXTRX+0.55%coin-img-DOGEDOGE-0.33%coin-img-SUISUI+0.59%coin-img-ETHETH-0.56%coin-img-BTCBTC+0.21%coin-img-SOLSOL+3.26%coin-img-USDCUSDC+0.03%coin-img-XRPXRP+0.20%coin-img-TRXTRX+0.55%coin-img-DOGEDOGE-0.33%coin-img-SUISUI+0.59%

Axelar Says $4.67M Secret Network Bridge Hack Stemmed From Altered Contract, Not Axelar or IBC

Axelar has issued a clarification on the $4.67 million exploit tied to Secret Network, saying neither Axelar nor the InterBlockchain Communication (IBC) protocol was compromised. The statement follows a Common Prefix postmortem that attributed the June 10 incident to a vulnerable smart contract on Secret Network. Axelar said the exploited contract was not built, deployed, or maintained by its team. Axelar attributed the root cause to a forked version of the CW20ICS20 contract used to wrap assets arriving via IBC. It said the fork removed two critical checks designed to prevent unauthorized token minting, creating an "infinite mint" condition. Axelar added that the changes altered the contract's trust assumptions and were not accompanied by a new security audit. Common Prefix reported similar findings. According to Common Prefix, the contract minted Secret-wrapped assets (saTokens) without verifying the source channel for inbound transfers. That allowed an attacker to spin up a single-validator Cosmos chain, establish an IBC connection, send forged packets with approved token denominations, and receive saTokens that were not backed by collateral. The exploit impacted seven assets: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. Investigators said the attacker then redeemed the assets through Axelar's legitimate bridge route and withdrew escrowed funds. Common Prefix traced the vulnerability back to the contract's original deployment in early 2023. A March 5 migration kept the same missing validation checks. The theft was not detected until June 17, when a routine cross-chain transfer failed due to insufficient funds in the escrow account. Secret Network said encrypted balances made the shortfall harder to spot and that the source-verification functions had been removed during an earlier contract redesign. After the issue was identified, Axelar disabled its Secret and SecretSNIP connections. Cross-chain router Squid also removed Secret Network from its interface. Axelar said its firewalling measures contained the impact to the affected contract and that no other chains, escrow accounts, channels, or core protocol components were affected. Common Prefix tracked the stolen assets through Osmosis and Ethereum before exchanges and law enforcement became involved. Axelar said it remains in coordination with relevant parties and is keeping the affected connection offline.
Selected
WBTC
WBTC+0.23%
USDC
USDC+0.03%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.