Secret Network’s $4.67M Bridge Heist Started With One Missing Check

An attacker drained roughly $4.67 million from a Secret (SCRT) bridge tied to Axelar (AXL), exploiting a flawed contract that minted unbacked tokens out of nothing.

Key Points:

Secret Network Bridge Loses Millions

The theft began on Jun. 10 yet went unnoticed for seven days, since Secret encrypts balances by default and the missing collateral never showed on chain. It surfaced only on Jun. 17, when a routine cross-chain transfer failed because the escrow account had run dry. Investigators then traced the shortfall back to seven suspicious withdrawals made on the opening day.

Axelar confirmed the loss on Jun. 19 and disabled the affected Secret and Secret-SNIP connections within hours, while stressing that its core protocol was never touched. The team said it has contacted exchanges and law enforcement to trace the funds, about $672,000 of which still sits untouched in the attacker's main wallet.

Also Read: Bitcoin ETF Exodus Hits Record $6.35B, But Panic Selling May Be Cooling

Infinite-Mint Flaw Fooled The Contract

The vulnerable contract minted Secret-wrapped copies of bridged assets but never verified which channel a deposit truly came from, matching only a token's name against an approved list.

Research firm Common Prefix published a postmortem mapping how that single gap unraveled. Because the network hides transfers by default, tracing the attacker proved far harder than it would have on a fully transparent public ledger.

To exploit it, the attacker spun up a chain with one validator, opened an unauthorized channel, and self-relayed forged packets carrying token names lifted straight from the allow-list.

The contract accepted them and minted real, redeemable tokens with nothing whatsoever behind them.

Redeeming those fakes through the genuine channel then emptied the escrow across seven wrapped assets. The flaw was not new, and the firm reported that the same logic had sat in the code since 2023 and survived a March 2026 migration. Secret added that no outside audit was requested when the bridge was first built.

Cross-Chain Bridges Stay Exposed

The stolen funds moved through Osmosis, swapped into Ether (ETH) on a decentralized exchange, and scattered across dozens of fresh wallets before finally reaching three centralized exchanges. The broader market response stayed muted, with Axelar's token slipping about 2.2% on the day and Secret holding nearly flat.

Still, the loss extends a brutal year for cross-chain infrastructure. Bridges built on similar lock-and-mint designs remain the most exploited surface in crypto, with comparable flaws costing more than $340 million across the industry in 2026. The toll includes a $25 million breach at Resolv, an $11 million loss at Verus, and a $4 million hit to IoTeX.

Read Next: JaredFromSubway Bot Loses $7.5M After Taking Its Own Bait