A Three-Year-Old Bug Just Cost Secret Network $4.67M — and the Hacker Built a Whole Blockchain to Find It

Someone drained $4.67 million out of Secret Network's Axelar bridge by exploiting a validation flaw that had been sitting in the deployed code since March 2023 — and because of the way the privacy chain is built, nobody noticed for the better part of a week.

What Happened

The exploit targeted the Secret-side ICS-20 smart contract that handles transfers across the Cosmos bridge linking Secret Network and Axelar. The contract had one fatal blind spot: when a deposit packet came in, it only checked that the token's name matched an approved list. It never verified which IBC channel the deposit actually arrived through.

That gap was all the attacker needed. They spun up their own single-validator Cosmos SDK chain — effectively building a throwaway blockchain just to attack one contract — and opened a fresh IBC channel into the vulnerable bridge. From there they sent forged deposit packets that sailed past the missing source-channel and denomination checks, minting wrapped tokens on Secret that were never backed by anything. Those unbacked tokens were then redeemed for real assets through the legitimate Axelar channel.

The result was a classic infinite-mint: print fake collateral on one side, cash it out for the real thing on the other. The attack is believed to have hit around June 10, but Secret's privacy-by-default design meant the malicious flow stayed hidden in plain sight. Axelar only detected the breach on June 17 — roughly seven days later — and moved to disable the Secret Network connection.

Why It Matters

This is the rare exploit where privacy worked against the people it was meant to protect. The same shielded-by-default architecture that makes Secret attractive also gave the attacker a week of cover before anyone could trace the bleed. On a transparent chain, an infinite-mint of this size lights up block explorers almost instantly.

It's also a reminder that bridge code ages badly. The bug wasn't introduced in some rushed recent upgrade — it shipped in 2023 and quietly waited three years for someone clever enough to weaponize it. Custom validation logic that checks 'what' but not 'where' is exactly the kind of subtle assumption that survives audits and then detonates.

Axelar has stressed that the damage was contained to the Secret-side contract. There's no evidence the flaw touched Axelar's core network, its validator set, or any of its other integrations — an important distinction for a protocol that bridges dozens of chains.

What's Next

Roughly $770,000 of the stolen funds reportedly still sits in the attacker's Axelar wallet — and according to The Block, Axelar declined Secret's request to freeze it, a decision likely to fuel debate about how much intervention is appropriate from supposedly neutral cross-chain infrastructure. The Secret-Axelar bridge remains disabled while teams work through remediation, and users with assets bridged through it should expect a bumpy recovery process. Expect a full post-mortem and, almost certainly, a hard look at every other contract still running validation logic written in the same era.

☕₿