Secret Network Bridge Exploited Via Forged Deposits, Draining $4.67M
An attacker has drained $4.67 million from an Axelar-linked bridge on the Secret Network. The incident, which occurred on 10 June but was not detected until 17 June, exploited a critical vulnerability in a third-party smart contract responsible for managing wrapped assets.
An attacker has drained $4.67 million from an Axelar-linked bridge on the Secret Network. The incident, which occurred on 10 June but was not detected until 17 June, exploited a critical vulnerability in a third-party smart contract responsible for managing wrapped assets. The attacker was able to mint unlimited quantities of unbacked tokens by sending forged deposit messages to the contract. These counterfeit assets were then redeemed for genuine collateral held in escrow, which included wrapped versions of USDT, USDC, DAI, WETH, WBTC, WBNB, and wstETH. The stolen funds were subsequently moved to Ethereum, converted to ETH, and distributed across approximately 30 wallets before being sent to centralised exchanges.
Anatomy
The architecture of the failure resides in a single, vulnerable smart contract deployed on the Secret Network. This contract was designed to mint saTokens, which are Secret Network’s wrapped representations of assets bridged from other chains via the Axelar network. The core function of such a bridge contract is to lock an asset on a source chain and mint a corresponding representative token on the destination chain, maintaining a one-to-one backing.
The vulnerability was a fundamental logic error: the contract failed to validate the origin of incoming deposit instructions. It was designed to receive messages from a specific, legitimate channel to trigger the minting of saTokens. However, it did not possess a mechanism to verify that the messages it received actually originated from this channel. The contract effectively trusted any message it received that was formatted correctly, a critical oversight in its access control.
The attacker exploited this by creating their own unauthorised, attacker-controlled channel. From this channel, they broadcast forged deposit messages to the vulnerable contract. The contract processed these messages as if they were legitimate, minting genuine saTokens for the attacker without any corresponding assets being deposited or locked in the bridge’s escrow. This is a classic “infinite mint” exploit, creating value from nothing within the context of the local system.
With a supply of counterfeit saTokens, the attacker then used the legitimate, public-facing functions of the bridge to redeem them. The bridge’s withdrawal mechanism honoured these counterfeit tokens, exchanging them for the real, underlying Axelar-wrapped assets held in the escrow pool. This process systematically drained the bridge’s liquidity. The stolen assets included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH.
The exploit remained undetected for seven days. Discovery was not the result of proactive security monitoring but of a system failure. A legitimate cross-chain transaction failed due to an “insufficient funds” error, which prompted an investigation that uncovered the drained escrow accounts. By this time, the attacker had already moved the assets off the Secret Network to Ethereum, swapped them for ETH, and begun a multi-stage obfuscation process, funnelling the funds through a web of new wallets before depositing them at exchanges including KuCoin, ChangeNow, and HitBTC.
Pattern
This incident follows a well-established pattern of bridge exploits stemming from insufficient input validation. The failure to authenticate the source of a privileged instruction is a recurring vulnerability that has been responsible for several high-value losses. The contract operated on a principle of implicit trust, assuming any correctly formatted call was legitimate, rather than a Zero Trust model that requires explicit verification of every transaction’s origin and authority.
The delayed detection also mirrors prior incidents, highlighting a systemic weakness in the monitoring and alerting capabilities of many decentralised protocols. A one-week lag between a multi-million dollar exploit and its discovery indicates a reactive security posture, reliant on system failures or external reports rather than real-time anomaly detection. For privacy-centric blockchains like Secret Network, this raises the question of whether its confidentiality features inadvertently complicate the real-time auditing of public liquidity pools and contract states.
The response from the involved parties is also typical, demonstrating the fractured nature of accountability in a composable ecosystem. Axelar, the interoperability provider, clarified that its core protocol was not compromised and that the vulnerable contract was not developed or maintained by its team. Secret Network, the Layer 1 blockchain, confirmed its native token was unaffected but acknowledged that holders of the Axelar-bridged assets may have lost their funds. This leaves the application developer who deployed the faulty contract as the primary point of failure, and the end users with unbacked assets and little recourse.
This event is structurally similar to other bridge attacks where the logic of a peripheral contract, not the core blockchain or interoperability protocol, was the weak point. It underscores a critical principle: the security of a cross-chain system defaults to that of its least secure, and often unaudited, component.
Forward Implication
The immediate consequence is the total loss of value for holders of the affected saTokens on Secret Network. The network’s own admission that funds may be lost effectively renders these specific assets worthless, eroding confidence in third-party bridges on the platform. This creates a direct financial liability for users who trusted the integrity of the bridge’s architecture.
Axelar’s statement that its “firewalling prevented the impact from spreading to other chains” is a key detail. This implies the existence of a centralised or rules-based checkpoint system within Axelar’s network, capable of isolating or containing abnormal activity. While this prevented a wider contagion, it also highlights a centralisation trade-off. The nature of these firewalls, who controls them, and the conditions under which they are triggered become critical questions for assessing the true decentralisation and censorship resistance of the interoperability layer itself.
The attacker’s ability to successfully move $4.67 million through multiple chains and into centralised exchanges within a week of the exploit demonstrates the persistent difficulty of tracking and seizing illicit funds. The choice of specific exchanges for off-ramping will inform future forensic analysis and risk assessments by compliance firms.
This incident sets a precedent that will force other Layer 1 and Layer 2 networks to reconsider their relationship with third-party application developers. It is no longer sufficient for a platform to declare its own core protocol secure. The security of the applications built upon it, especially those managing user funds in bridges and other complex DeFi instruments, directly impacts the platform's viability and reputation. The critical question for all blockchain ecosystems is what standards, audits, and real-time monitoring are required for any third-party contract that is allowed to interface with major interoperability protocols and hold user deposits.
---
Zero Trust Network · Intelligence Division · Truth · Strategy · Sovereignty
Discussion