Key facts
- Approximately $4.67 million in tokens were drained from Secret Network via a smart contract exploit.
- The exploit targeted a modified CW20-ICS20 contract used for cross-chain transfers between Secret Network and Axelar.
- The vulnerability allowed an attacker to mint unbacked wrapped tokens by bypassing checks for IBC channel authenticity and escrow limits.
- The attacker created a separate blockchain to send forged deposit packets, which were then redeemed for actual bridged assets.
- Axelar detected the exploit on June 17, nine days after the initial fraudulent transactions occurred on June 10.
- Axelar has disconnected the affected IBC connection to Secret Network, stating its core protocol remains secure.
Approximately $4.67 million in cryptocurrency was drained from Secret Network due to a vulnerability in a smart contract used for cross-chain transfers via the Axelar bridge. The exploit, which went unnoticed for nine days, allowed an attacker to mint unbacked tokens by bypassing crucial verification checks related to the Inter-Blockchain Communication (IBC) channel and escrow availability.
The attacker reportedly created a minimal blockchain with a single validator, established a new IBC channel to Secret Network, and sent forged deposit packets. The vulnerable contract, designed to process incoming IBC transfers and generate wrapped versions of bridged tokens, failed to validate these packets, accepting them as legitimate if the token ID was on an allowlist.
Once the unbacked tokens were minted, the attacker redeemed them through the standard Axelar mechanism, draining the actual bridged assets held in escrow. The stolen funds were subsequently routed through Osmosis to Ethereum, swapped for ETH, split across approximately 30 wallets, and deposited into exchanges including KuCoin, ChangeNow, and HitBTC.
Axelar stated that the issue was isolated to the Secret-side CW20-ICS20 smart contract and did not affect its core protocol, other IBC connections, or other chains. The company's emergency task force disconnected the affected IBC route to Secret Network immediately upon identifying the incident on June 17. The vulnerability's logic was traced back to early public commits in 2023, indicating a long-standing flaw in the contract's message authentication.
This incident highlights the persistent security risks associated with cross-chain bridges, which have been a frequent target for exploits. Bridges built on similar lock-and-mint logic have reportedly lost over $340 million this year.