Secret Network Hit With $4.67M Infinite Mint Exploit Losses

An attacker exploited an “infinite mint” vulnerability in a smart contract on Secret Network to create wrapped versions of Axelar-backed assets without the normal backing. According to Common Prefix, the resulting loss reached $4.67 million, with the incident first occurring on June 10 and later being detected on June 17 after irregularities surfaced during a failed cross-chain transfer.

The exploit relied on a flaw in how inbound transfers were handled: the contract minted genuine saTokens without verifying that the tokens being deposited originated from a legitimate source. After discovery, the attacker redeemed the forged saTokens through Axelar’s standard routes, draining the real wrapped assets held in escrow. Common Prefix reported the issue on Friday, citing on-chain findings and the sequence of redemptions.

Key takeaways

• An “infinite mint” bug on Secret Network allowed unbacked Axelar-wrapped assets (saTokens) to be minted.
• The vulnerability stemmed from missing verification of the inbound transfer source before minting, enabling forged deposits to produce real tokens.
• Common Prefix estimates the exploit’s impact at $4.67 million, with detection coming a week after the June 10 attack.
• The attacker redeemed saTokens back to the underlying assets held in escrow, then moved proceeds to Ethereum and split holdings across multiple wallets.
• Axelar said its network and IBC were not compromised, and that the affected contract was not developed or maintained by Axelar.

How the Secret Network “infinite mint” unfolded

The Secret Network incident centered on a smart contract that minted Axelar-wrapped tokens (saTokens) tied to assets held in escrow. Common Prefix’s analysis indicates the contract did not verify the source of inbound transfers prior to minting. As a result, deposits that were forged over an attacker-controlled channel could trigger minting of genuine saTokens without corresponding backing assets.

Common Prefix said the attacker then redeemed those Axelar-wrapped saTokens back through legitimate channels. Because the real wrapped assets were stored in escrow, the redemption process allowed the attacker to withdraw the backed collateral that should have corresponded to the issued tokens. In short, the breach converted what should have been a “wrapped claim” into an extractable withdrawal by breaking the token-to-collateral link at the minting stage.

Assets targeted and the size of the exploit

Common Prefix reported that multiple Axelar-wrapped tokens were minted without backing. The affected set included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBTC? and saBNB, as well as sawstETH (as listed in Common Prefix’s report). The firm estimated the total exploit impact at $4.67 million.

Secret Network is a privacy-focused layer-1 blockchain in the Cosmos ecosystem. Axelar, meanwhile, is an interoperability network designed to connect different blockchain ecosystems. The incident highlights the risk that can arise when wrapped assets and cross-chain messaging rely on correct validation logic—especially when minting depends on the integrity of inbound transfer proofs.

Discovery, attacker movement, and where funds ended up

While the exploit happened on June 10, Common Prefix said it wasn’t detected until June 17. The delayed discovery was linked to a failed cross-chain transaction that returned an “insufficient funds” error involving the drained account. That error drew attention to the fact that tokens had likely been minted without sufficient backing.

After redemption, Common Prefix reported that the attacker moved the stolen assets to Ethereum and converted the proceeds to Ether (ETH). The firm also said the attacker split the funds across roughly 30 wallets, eventually depositing with exchanges including KuCoin, ChangeNow, and HitBTC—details that matter for monitoring and potential recovery efforts, since multi-wallet distribution can slow down tracing and enforcement.

Secret Network and Axelar respond: what was and wasn’t compromised

Secret Network posted a security incident warning, advising holders of Axelar-bridged saXXX tokens on Secret that the backing for those tokens was affected and that their funds may be lost. The warning, published after the incident became public, focused on user risk rather than suggesting that all tokens on Secret were compromised.

Axelar addressed the incident separately after “some confusion” circulated around the breach. In a post on Saturday, Axelar stated that neither Axelar nor IBC was compromised. It also said the exploited token smart contract was not developed, deployed, or maintained by Axelar, and that Axelar’s firewalling helped prevent broader impact across chains. For users and builders, the distinction matters: it suggests that the failure was contained to the contract logic on Secret’s side of the integration rather than a systemic breach across the broader Axelar interoperability stack.

Why this case fits a broader pattern of bridge and wrap exploits

Common Prefix placed the Secret Network hack in the context of a busy month for crypto exploits. According to DeFiLlama data cited in the article, crypto protocol hacks and exploits now number at least 22 for the month, reflecting continued pressure on cross-chain infrastructure and token-wrapping mechanisms.

Earlier this month, Cointelegraph reported major losses tied to other cross-chain incidents, including Humanity Protocol and Syscoin Bridge, which lost $32 million and $8 million, respectively. Together, these cases underscore a recurring theme: cross-chain systems can fail at multiple layers—message validation, escrow accounting, wrapped-token minting, and redemption logic—meaning that a vulnerability in one link can lead to direct fund drains if the surrounding checks are incomplete.

For investors and traders, the practical implication is that token “existence” on a destination chain does not always guarantee collateral backing. In the Secret Network incident, the tokens were minted in a way that broke that assumption, turning wrapped representations into potentially uncollectible claims. For developers, the bigger lesson is straightforward: minting logic that depends on inbound data must treat verification as part of the core security model, not an optional step.

Looking ahead, users holding affected saTokens on Secret should monitor Secret Network’s incident updates and any follow-on recovery or remediation announcements. Meanwhile, builders integrating interoperability routes should watch closely for contract-level fixes and updated validation requirements—because as this exploit shows, a single missing verification step can propagate into real withdrawals from escrow even when the interoperability provider itself insists it was not compromised.

This article was originally published as Secret Network Hit With $4.67M Infinite Mint Exploit Losses on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.