Secret Network's Axelar bridge lost approximately $4.67 million on June 10 in an exploit undetected until June 17. According to a postmortem published Friday by blockchain research firm Common Prefix, the attacker exploited a flaw in a custom CW20-ICS20 token contract that failed to validate which channel inbound transfers originated from, allowing the creation of unbacked Secret-wrapped tokens. The vulnerability had existed since the contract's initial deployment in early 2023, and the seven-day detection gap occurred because Secret Network's default balance encryption concealed the missing collateral on-chain.
Attacker Exploited Missing Channel Validation in Custom Token Contract
The exploit targeted a modified CW20-ICS20 contract on Secret Network that handles assets bridged from Axelar. The contract minted Secret-wrapped versions of Axelar-wrapped assets, known as saTokens, without checking which channel an inbound transfer originated from. The attacker created a single-validator Cosmos chain, opened an IBC channel to the bridge contract, and self-relayed forged packets carrying token denominations matching the contract's allow-list. The contract could not distinguish these denominations from ones arriving over Axelar's legitimate channel and minted saTokens against them. Redeeming the minted balances back over the legitimate Axelar channel released the actual assets held in escrow. The drain affected seven saTokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH, according to Common Prefix.
Vulnerability Existed Since Early 2023 Deployment
Common Prefix traced the vulnerability to the contract's initial deployment in early 2023. A March 5 migration that updated the bytecode for new features carried the same missing checks forward, and the June 10 attack struck that migrated code. In its forum post, Secret Network stated the bridge contract had been adapted from an escrow model to a mint model for the Axelar integration, and the two functions that would have validated a transfer's source were removed in that rework. Secret Network added that no external audit was requested by Axelar as part of the integration. The shortfall surfaced on June 17 when a normal cross-chain transfer on Axelar failed with an error showing the escrow account no longer held enough to cover it. Investigators traced the gap to seven withdrawals made on June 10.
Axelar Disabled Secret Connections After Discovery
Axelar's emergency committee disabled the Secret and Secret-SNIP connections after the discovery, and cross-chain router Squid removed Secret from its frontend. Axelar stated its core protocol was never affected and that no other chains, channels, or escrow accounts were touched. The Secret team was notified to halt and migrate the affected contract. In a follow-up post, Axelar stated: "Neither Axelar nor IBC was compromised. The exploited token smart contract was not developed, deployed, or maintained by Axelar." The team said the flaw was not in Axelar-specific logic or in IBC itself.
Approximately $672,000 Remained in Attacker's Wallet at Publication Time
Secret Network stated in its forum post that roughly $770,000 of the stolen funds remained in the attacker's wallet on Axelar at the time of the post. Secret Network said it identified those assets, flagged them as recoverable, and petitioned the Axelar team to freeze them or work with its community to do so, "a request they have decided not to pursue." Axelar said separately that it is coordinating with exchanges and law enforcement and has not given a timeline for restoring the connection. Axelarscan data viewed by The Block showed the attacker's Axelar wallet still held 6.2 WBTC, 239,324 USDC, 64.04 WBNB and 248.85 AXL, worth roughly $672,000 at publication time prices.
Stolen Funds Moved Through Osmosis to Ethereum Exchanges
Common Prefix's tracing shows the attacker withdrew stolen assets to Axelar, routed them through Osmosis using automated packet-forwarding, then bridged to Ethereum and mostly swapped for ether on CoW Protocol. The ether was split into roughly 30 transfers to fresh wallets before landing in deposit addresses at KuCoin, ChangeNow, and HitBTC. Both tokens saw price gains in the past 24 hours despite the disclosure. Axelar's AXL was up about 1.3%, while Secret's SCRT was up 5.6% over the past day at publication time.
FAQ
What caused the $4.67 million Secret Network bridge exploit on June 10?
The exploit occurred because a custom CW20-ICS20 token contract on Secret Network failed to validate which channel inbound transfers originated from. The attacker created a single-validator Cosmos chain, opened an IBC channel to the bridge contract, and self-relayed forged packets that the contract accepted as legitimate, minting unbacked saTokens that were then redeemed for actual assets held in escrow.
How long did the vulnerability exist before the June 10 attack?
Common Prefix traced the vulnerability to the contract's initial deployment in early 2023. A March 5 migration that updated the bytecode for new features carried the same missing checks forward, and the June 10 attack exploited that migrated code.
How much of the stolen funds remained recoverable at publication time?
Axelarscan data viewed by The Block showed the attacker's Axelar wallet held 6.2 WBTC, 239,324 USDC, 64.04 WBNB and 248.85 AXL, worth roughly $672,000 at publication time prices. Secret Network stated it petitioned Axelar to freeze these assets, a request Axelar declined to pursue.
