An attacker successfully exploited a vulnerability in a custom token contract on Secret Network’s Axelar bridge, resulting in the illicit minting of unbacked tokens and the theft of approximately $4.67 million. The exploit, which occurred on June 10, went undetected for a full seven days before a failed cross-chain transfer on June 17 brought the exploit to light by revealing that the Axelar escrow account had been depleted.
Key Takeaways
- An exploitable flaw in a modified CW20-ICS20 contract on Secret Network allowed an attacker to mint unbacked saTokens (Secret-wrapped Axelar-wrapped assets).
- The attacker leveraged a single-validator Cosmos chain to relay forged deposit packets, tricking the contract into minting fake tokens.
- The exploit resulted in the theft of seven different saTokens, totaling approximately $4.67 million in real assets.
- The vulnerability existed in the contract since its initial deployment in early 2023 and persisted after a March 2024 migration.
- The exploit was only discovered when a subsequent, legitimate transfer failed due to insufficient collateral in the Axelar escrow.
- Axelar’s emergency committee has since disabled the Secret and Secret-SNIP connections, and the core Axelar protocol remains unaffected.
- Approximately $672,000 of the stolen funds are still held in the attacker’s Axelar wallet, with Secret Network stating Axelar declined a request to freeze these assets.
The exploit targeted a specific contract responsible for handling assets bridged from Axelar. This contract had been adapted from an escrow model to a mint model, and crucially, certain validation functions that would have verified the source channel of an inbound transfer were removed during this adaptation. This oversight enabled the attacker to create a permissionless IBC channel from their own validator chain and submit forged deposit packets. The vulnerable contract, unable to distinguish these fraudulent packets from legitimate ones, proceeded to mint equivalent amounts of saTokens. These minted tokens were then redeemed through the legitimate Axelar channel, allowing the attacker to withdraw the actual assets held in escrow.
The seven saTokens compromised in the attack included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The underlying vulnerability was not a recent development; it has been present since the contract’s initial deployment in early 2023 and was carried forward during a migration in March 2024 that updated the contract’s bytecode for new features.
The encrypted nature of balances on Secret Network meant that the missing collateral was not immediately apparent on-chain, unlike in typical exploits on networks like Ethereum. The shortfall only came to light when a routine cross-chain transfer on June 17 failed, indicating insufficient funds in the escrow account. Investigations traced the depletion to seven withdrawals that occurred on June 10.
Secret Network has raised concerns regarding the lack of proactive monitoring and emergency response mechanisms within the Axelar bridge infrastructure, suggesting that these systems failed to detect or halt the suspicious large transfers before significant assets were drained.
Regulatory Precedent and Legal Implications
This incident, while stemming from a smart contract vulnerability, highlights significant legal and regulatory considerations within the cross-chain interoperability space. The ability for an attacker to exploit a flaw in a custom contract that was not externally audited as part of the integration raises questions about due diligence and liability. Axelar has asserted that its core protocol and the IBC protocol itself were not compromised, emphasizing that the exploited contract was developed and maintained by Secret Network. This distinction is critical in determining legal responsibility and potential recourse.
The incident may inform future regulatory approaches to cross-chain bridges. Regulators, such as the SEC, are increasingly scrutinizing decentralized finance (DeFi) protocols and their security measures. This exploit could lead to heightened demands for standardized auditing practices, clearer lines of responsibility between different protocol participants, and potentially, more stringent compliance requirements for bridge operators. The case also underscores the complexities of cross-border asset recovery, as demonstrated by the dispute over freezing the remaining stolen funds in the attacker’s Axelar wallet.
The legal stakes for companies involved in interoperability solutions are substantial. A failure to implement robust security measures and transparent development practices could result in significant financial losses, reputational damage, and potential legal action from investors and affected users. Furthermore, the varying responses from Axelar and Secret Network regarding the handling of the remaining stolen funds could set precedents for inter-protocol cooperation and dispute resolution in the event of future security breaches.
The situation draws parallels with other recent exploits, such as the vulnerability discovered in Zcash, which also involved the potential for counterfeit token creation and resulted in a notable price drop for the native token. These recurring incidents underscore the need for enhanced security frameworks and regulatory clarity across the digital asset ecosystem. As global regulatory bodies, including those in the EU with frameworks like MiCA, continue to develop comprehensive oversight for digital assets, incidents like this will likely influence the specific requirements and enforcement actions taken.
In response to the exploit, Axelar’s emergency committee deactivated the connections between Secret and Axelar, and the cross-chain router Squid subsequently removed Secret from its user interface. Axelar has stated its commitment to cooperating with exchanges and law enforcement agencies, although no timeline for restoring the affected connections has been provided. The attacker’s funds were reportedly routed through Osmosis, bridged to Ethereum, and largely converted to ether, which was then dispersed across numerous new wallets before reaching deposit addresses at centralized exchanges like KuCoin, ChangeNow, and HitBTC.
Despite the exploit, both Axelar’s AXL and Secret’s SCRT tokens experienced price increases in the 24 hours following the disclosure of the incident. However, the long-term impact on investor confidence and regulatory scrutiny remains to be seen.
Original article : www.theblock.co