An exploitation of the Axelar bridge connecting to Secret Network resulted in a loss of approximately $4.67 million due to an unaddressed vulnerability in a custom token contract. This incident, which remained undetected for seven days, involved the minting of unbacked tokens and their subsequent redemption for legitimate assets. The security lapse highlights critical issues in cross-chain communication protocols and the due diligence required for smart contract integrations.
Key Takeaways
- An attacker exploited a modified IBC bridge contract between Axelar and Secret Network to mint unbacked Secret-wrapped tokens (saTokens).
- The exploit, which leveraged a flaw in a custom CW20-ICS20 contract, allowed the minting of saTokens without proper validation of inbound transfer sources.
- The attack went unnoticed for seven days, only being discovered when a routine cross-chain transfer failed due to insufficient funds in the Axelar escrow account.
- Axelar’s emergency committee subsequently disabled the affected connections, asserting that its core protocol remained uncompromised.
- Approximately $672,000 of the stolen funds remain in the attacker’s Axelar wallet, with Axelar reportedly declining a request from Secret Network to freeze these assets.
The breach occurred on June 10, as detailed in a postmortem report by Common Prefix. The vulnerability resided within a modified CW20-ICS20 contract on Secret Network, responsible for managing assets transferred from Axelar. This contract allowed for the minting of Secret-wrapped versions of Axelar-wrapped assets, known as saTokens, without adequate checks on the origin channel of inbound transfers. This deficiency enabled the attacker to create counterfeit deposits, resulting in the minting of genuine saTokens that were not backed by corresponding assets.
The attacker established a single-validator Cosmos chain, initiated an IBC channel to the bridge contract, and relayed forged packets containing token denominations that were present on the contract’s allow-list. The contract’s inability to distinguish these forged packets from legitimate ones arriving via Axelar’s official channel led to the minting of unbacked saTokens. Subsequently, these minted tokens were redeemed through the legitimate Axelar channel, allowing the attacker to withdraw the actual assets held in escrow.
The exploit affected seven different saTokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. According to Common Prefix, the underlying vulnerability had existed since the contract’s initial deployment in early 2023 and persisted through a subsequent code migration on March 5. The attack targeted this migrated code, exploiting the continued absence of essential validation checks.
Secret Network indicated that the bridge contract had been reconfigured from an escrow model to a mint model for its Axelar integration. During this transition, critical functions responsible for validating transfer sources were reportedly removed. Furthermore, Secret Network noted that Axelar had not requested an external audit for this specific integration.
Due to the encrypted nature of balances on Secret Network, the missing collateral was not immediately apparent on-chain, unlike transparent pools found on other blockchains such as Ethereum. The deficit only came to light on June 17, when a standard cross-chain transfer on Axelar failed, signaling an inadequate balance in the escrow account. Investigations revealed that seven withdrawals had occurred on June 10.
Secret Network also raised concerns regarding the monitoring and security mechanisms of the Axelar bridge infrastructure. The network stated that “no effective monitoring, anomaly-detection, or emergency pause mechanisms were triggered within the Axelar bridge infrastructure to identify and temporarily halt unusually large or suspicious transfers before the bridge assets were substantially drained from Axelar.”
In response to the incident, Axelar’s emergency committee deactivated the Secret and Secret-SNIP connections. The cross-chain router Squid also removed Secret from its user interface. Axelar emphasized that its core protocol was not compromised and that no other connected chains, channels, or escrow accounts were affected. Secret Network was instructed to halt and migrate the compromised contract.
Analysis of the attacker’s actions by Common Prefix indicates that the stolen assets were routed through Osmosis, then bridged to Ethereum, and largely exchanged for Ether via CoW Protocol. The Ether was then distributed across approximately 30 new wallets before being deposited into addresses at KuCoin, ChangeNow, and HitBTC.
Despite the disclosure of this exploit, both Axelar’s AXL token and Secret’s SCRT token have seen price increases in the 24 hours preceding publication. This incident follows a trend of significant cross-chain exploits observed throughout the year, including a notable $292 million loss from Kelp DAO’s bridge in April.
Secret Network reported that approximately $770,000 of the stolen funds remained in the attacker’s Axelar wallet at the time of their statement. Secret indicated it had identified these recoverable assets and requested Axelar’s assistance in freezing them, a request that Axelar reportedly declined. Axelar has stated it is collaborating with exchanges and law enforcement agencies, but has not provided a timeline for restoring the connection.
Data from Axelarscan confirms that the attacker’s wallet still held a significant amount of assets, including WBTC, USDC, WBNB, and AXL, valued at roughly $672,000. Axelar has publicly stated that the exploited smart contract was not developed, deployed, or maintained by Axelar, and that the vulnerability was not present in Axelar-specific logic or the IBC protocol itself.
Potential Regulatory Precedent
This incident underscores the complex legal and regulatory challenges inherent in the rapidly evolving cross-chain communication sector. The lack of immediate detection and the subsequent dispute over asset recovery highlight the need for clearer frameworks governing responsibility and liability in inter-blockchain interactions. As regulatory bodies globally, such as the European Union with its Markets in Crypto-Assets (MiCA) regulation, seek to establish comprehensive oversight of the digital asset landscape, incidents like this may inform future compliance requirements. The legal stakes for companies involved in bridging and cross-chain services are substantial, encompassing potential liability for losses, the obligation to implement robust security measures, and adherence to evolving international standards. The failure to implement adequate safeguards, as suggested by Secret Network’s critique of Axelar’s monitoring, could set a precedent for increased scrutiny and potential enforcement actions, emphasizing the critical importance of thorough smart contract auditing and robust operational security for all participants in the blockchain ecosystem.
Based on materials from : www.theblock.co