Axelar Says $4.67M Stolen in IBC Bridge Incident Involving Secret Network

Axelar Network said on X it has identified a security incident impacting assets bridged from Axelar to Secret Network via IBC, with about $4.67 million in tokens stolen. Axelar said initial findings indicate the problem is confined to Secret's ICS20 smart contract, part of the Cosmos IBC linkage between Secret and Axelar that supports transfers from Axelar to Secret. After detecting the issue, the Axelar Emergency Committee disabled the Secret and SecretSNIP connections. The team said it is coordinating with relevant exchanges and law enforcement. Axelar added that only assets bridged from Axelar to Secret via IBC are affected; other IBC connections and Secret-native tokens appear unaffected. Axelar also said its other integrations remain unaffected and its core protocol has not been compromised. Separately, Common Prefix's analysis of the Secret Network incident said the attacker exploited an infinite-mint vulnerability in a modified CW20ICS20 token contract on Secret, enabling the theft of roughly $4.67 million. The attacker reportedly launched a new Cosmos chain with a single validator and self-relayed IBC packets to mint arbitrary Secret-wrapped Axelar assets on Secret. The report said the contract failed to verify the source IBC channel for inbound tokens, after which the attacker exited through the Axelar bridge. Axelar said its protocol was not breached and that safeguards prevented the activity from spreading to other chains.