Axelar Disables Secret Network IBC Links After $4.67 Million Token Theft

Axelar Network said it identified an incident affecting assets bridged via IBC from the Axelar chain to Secret Network, with about $4.67 million in tokens stolen. According to ChainCatcher, Axelar said the issue appears limited to the Secret-side ICS-20 smart contract used in the Cosmos IBC connection between Secret and Axelar for bridging assets from Axelar to Secret.

Axelar said its emergency committee disabled the Secret and Secret-SNIP connections after detecting the incident and that the team is contacting relevant exchanges and law enforcement. It added that other IBC connections, Secret tokens, other Axelar integrations, and Axelar’s core protocol do not appear to be affected.

Separately, Common Prefix’s analysis of the Secret Network incident said an attacker exploited an infinite-mint vulnerability in a modified CW20-ICS20 token contract on Secret to steal about $4.67 million. The analysis said the attacker created a new Cosmos chain with a single validator and self-relayed IBC packets to mint arbitrary Secret-wrapped Axelar assets on Secret.

Common Prefix said the contract did not verify which IBC channel inbound tokens came from, and the attacker exited through the Axelar bridge. Axelar was not compromised, and the protocol prevented the issue from spreading to other chains, the analysis said.