The exploit occurred on June 10 and stayed undetected until June 17, when a failed cross-chain transaction exposed the issue. Secret Network warned that affected Axelar-bridged saTokens may no longer be fully backed, while Axelar confirmed that neither its network nor the IBC protocol was compromised.
Secret Network Exploit Drains $4.67 Million
A vulnerability in a smart contract on Secret Network led to a $4.67 million exploit after an attacker successfully minted unbacked versions of Axelar-wrapped assets and redeemed them for real assets held in escrow. The incident occurred on June 10 but was undetected for an entire week before being discovered on June 17 when a failed cross-chain transaction triggered an “insufficient funds” error.
According to blockchain research firm Common Prefix, the exploit was made possible by a flaw in a custom token contract that failed to verify the source of inbound transfers before minting wrapped assets. This allowed the attacker to create legitimate-looking Secret Network assets, known as saTokens, without providing any actual collateral.
By using an attacker-controlled communication channel, the exploiter was able to forge deposits and mint genuine saTokens that looked fully backed despite having no underlying assets supporting them. The attacker then redeemed these fraudulent tokens through legitimate Axelar channels, draining the real assets that were held in escrow.
Among the affected assets were saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. Once the funds were obtained, they were bridged to Ethereum, converted into Ether (ETH), and distributed to roughly 30 different wallets to try and obscure the movement of funds. Some of the stolen assets were later deposited into cryptocurrency exchanges, including KuCoin, ChangeNow, and HitBTC.
(Source: Common Prefix)
The exploit is one of the largest crypto security incidents recorded this month. Data from DeFiLlama shows that more than 20 protocol hacks and exploits have already occurred. Only the Humanity Protocol exploit, which resulted in losses of approximately $32 million, and the Syscoin Bridge attack, which caused losses of around $8 million, were larger.
After the discovery, Secret Network warned users holding Axelar-bridged saTokens that the assets may no longer be fully backed and that funds could potentially be lost. The project also clarified that its native SCRT token was not affected by the exploit.
Axelar later issued a statement explaining that neither the Axelar network nor the Inter-Blockchain Communication (IBC) protocol had been compromised. According to the team, the vulnerability existed in a third-party token contract that was not developed, deployed, or maintained by Axelar.
