Secret Network’s Axelar-linked bridge lost $4.67 million after an attacker exploited a minting flaw to create unbacked wrapped tokens. The breach lasted seven days before detection, while Secret Network and Axelar disputed responsibility for the faulty contract.
Secret Network’s Axelar-linked bridge has been suspended after an attacker drained about $4.67 million from a contract that handled wrapped assets. The attack began on June 10, 2026, and stayed undetected until June 17, when a cross-chain transfer failed due to an empty escrow account.
Secret Network and Axelar disclosed the incident on June 19. Both teams said the breach affected a contract on the Secret Network side. They also said Axelar’s core network and the Inter-Blockchain Communication protocol were not compromised.
Missing Contract Checks Allowed Unbacked Tokens
Security firm Common Prefix traced the flaw to a modified CW20-ICS20 smart contract used for the Axelar connection. Two validation checks had been removed from the contract’s packet-receive function. One should have confirmed that incoming token denominations came from the correct channel. The other should have limited withdrawals to assets held in escrow.
The contract was deployed in March 2023. A migration on March 5, 2026, added features but kept the missing checks. The attacker later created a single-validator Cosmos chain and opened a new IBC channel to Secret Network. The attacker then sent forged packets with token names that matched the contract’s allow-list.
The contract accepted the packets and minted wrapped tokens without matching deposits. The attacker redeemed them through the legitimate Axelar route and withdrew real assets from escrow. Secret Network’s encrypted transactions also made the growing shortage harder for outside observers to detect.
Seven Wrapped Assets Were Drained
The stolen assets included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH. Common Prefix traced part of the funds through Osmosis and Ethereum. Reports said the attacker converted much of the value into Ether and split funds across several wallets.
About $600,000 of the affected assets had been deposited into Shade Protocol contracts. Shade did not create or operate the faulty bridge contract. Ecosystem contributor CarterWoetzel said bridge-level controls were “the appropriate place to detect and halt this class of attack,” adding that this “did not happen here.”
The breach became visible after a legitimate transfer failed on June 17. That delay raised questions about monitoring systems used to track bridge reserves. Secret Network said Axelar’s system “failed to trigger effective anomaly detection or an emergency pause.” Axelar disputes that account.
Secret Network and Axelar Dispute Responsibility
Axelar said the faulty contract “was not developed, deployed, or maintained” by its team. It described the issue as limited to a Secret-side ICS-20 contract. Secret Network, meanwhile, linked the flaw to contracts used for the Axelar integration. Neither team had released a full post-mortem by June 22.
Axelar’s Emergency Committee disabled the Secret and Secret-SNIP bridge links after the disclosure. Cross-chain router Squid also removed Secret Network support from its interface. Both teams said they were contacting exchanges and law enforcement agencies to trace the stolen funds.
Secret Network warned that affected Axelar-wrapped tokens “may no longer be fully backed.” It said the native SCRT token was not involved. No final recovery plan has been announced, and neither team has confirmed how losses will be shared.
SCRT traded near $0.0558 at the time of the reports, close to its record low, while AXL traded near $0.0426. The suspension has reduced cross-chain routes while the investigation and asset-tracing work proceed.
Disclaimer : Crypto News India does not recommend that any cryptocurrency should be bought, sold, or held by you. Do conduct your own due diligence and consult your financial advisor before making any investment decisions.
