Secret Network Axelar Bridge Hack 2026 — $5M Exploit Analysis

An attacker drained $4.67M from Secret Network's Axelar bridge by exploiting a contract that minted unbacked wrapped tokens without verifying where deposits came from.

Details

Full Description

On June 10, 2026, an attacker exploited a modified CW20-ICS20 contract on Secret Network. The contract minted Secret-wrapped versions of Axelar assets (saTokens) without checking which channel an inbound transfer came from. The attacker created a custom single-validator Cosmos chain, opened a new IBC channel, and sent forged ICS-20 deposit packets. The contract treated forged packets as real deposits and minted unbacked tokens. Seven tokens were minted (~$4.67M) in ~6 minutes. Eighteen minutes later, the attacker redeemed them through the legitimate Axelar channel, draining the escrow. The attack went undetected for 7 days because Secret encrypts balances by default. Discovered June 17 when a cross-chain transfer failed.

Laundering Analysis

Stolen funds moved through Osmosis, swapped into ETH on a DEX, scattered across dozens of wallets, then to KuCoin, ChangeNow, and HitBTC. ~$672K still sits in attacker's Axelar wallet. Axelar declined Secret's freeze request. No recovery reported.

Sources

Transaction Hashes

Related Hacks

Back to Browse