Secret Network bridge exploited for $4.7M with ‘infinite mint’ bug
A vulnerable smart contract on Secret Network was exploited through an “infinite mint” bug, allowing an attacker to create unbacked Axelar-wrapped assets and drain about $4.67 million. The flaw was discovered after a failed cross-chain transfer exposed an “insufficient funds” error in the drained account. The contract failed to verify the source of inbound transfers before minting, so forged deposits on an attacker-controlled channel produced genuine saTokens without backing. Affected assets included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The attacker moved the stolen funds to Ethereum, swapped them into ETH, split them across roughly 30 wallets, and sent proceeds to exchanges including KuCoin, ChangeNow, and HitBTC. Secret said users holding Axelar-bridged saXXX tokens may have lost backing. Axelar said neither Axelar nor IBC was compromised.
