It took seven full days for anyone to realize $4.67 million had walked out of the Axelar to Secret Network bridge.

The drain happened on June 10, and nobody on either side noticed until June 17, when a routine cross-chain transfer failed and someone went to check the escrow balance on the Axelar side. The account was empty. Because Secret Network is built around a privacy-by-default design where contract state and transaction details are shielded from public view, the on-chain footprints that usually tip off security researchers within minutes were simply invisible.

That gave the attacker an entire week of breathing room while the funds were quietly moved off. Axelar's emergency committee has since disabled the Secret and Secret-SNIP connections, but the money is already gone.

An infinite-mint bug, wrapped in a custom contract

The vulnerability lived in a modified CW20-ICS20 contract on the Secret side of the bridge, which is the piece of code that handles inbound assets arriving over Cosmos IBC and mints Secret-wrapped versions of them. Those wrapped versions are the saTokens that DeFi users on Secret actually hold and trade. The attacker is accused of doing something elegantly simple: spinning up their own single-validator Cosmos chain, opening a brand new IBC channel directly to the Secret bridge contract, then self-relaying forged packets that carried token denominations matching the contract's allow-list. The contract checked which denomination was coming in. It did not check which channel that denomination was supposed to be coming from.

That single missing check is the entire story. Because the saToken contract trusted any properly-formatted IBC packet carrying a known denomination, the attacker was free to mint fully-backed-looking saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH out of thin air. Those freshly minted saTokens were then redeemed back over the legitimate Axelar IBC channel, which dutifully released the real escrowed assets sitting on the Axelar side. The Secret chain saw nothing unusual because the minting was technically valid. The Axelar chain saw nothing unusual because the redemptions were technically valid. Only the math on the escrow account disagreed, and nobody was looking at it.

A custom rework that never got externally audited

Investigators on the Secret side say the bridge contract had been adapted from a standard escrow model to a mint model when the Axelar integration was put together, and during that rework two validation functions that would have caught exactly this kind of forged-channel attack were removed from the code. Axelar reportedly never requested an external audit before flipping the connection live. Custom bridge code with its safety checks taken out, deployed without a fresh audit on a chain where outside parties cannot easily watch contract state from the outside. That is roughly the worst combination of factors a security researcher could draw up. The exploit itself was almost mundane once you understand how the contract was wired. The fact that nobody caught it for a week is the part that should worry every team running a CW20-ICS20 fork.

AXL up 5%, Secret holders less amused

Axelar's emergency committee has confirmed that the rest of the Axelar network is functioning normally and that the attack was isolated to the Secret connection. Exchanges and law enforcement have reportedly been notified, and the investigation is still open as of this week. Somewhat strangely, AXL has actually traded up around 5% since the news broke, possibly because the market read the quick shutdown as evidence the emergency procedures work the way they were advertised. Secret Network's SCRT, on the other hand, is having a less celebratory week. Holders who used the bridge are now waiting to see whether the Secret community decides to socialize the loss across treasury or staker funds, and whether the Axelar side chips in any of the recovery.

Bridges keep failing the same way

If you have followed crypto security for any length of time you have seen this exact movie before, a custom fork of a standard contract with a couple of safety checks quietly removed, no external audit, and a clever attacker who reads contract code faster than the deployers ever did. What is genuinely new here is the role privacy played in the timeline. The same on-chain opacity that makes Secret Network appealing to users who want shielded balances also blinded the wider security community to the fact that a drain was already in progress for a full week. There is a real conversation to be had about how privacy chains build out-of-band monitoring so the next incident gets caught in hours rather than days. For now, bridge users are out roughly four and a half million dollars, and another integration is being unwound on the fly.