PANews, June 20 – Axelar Network stated on X that it has identified an incident affecting assets bridged from the Axelar chain to Secret Network via IBC, with approximately $4.67 million worth of tokens stolen. Based on currently available information, the issue is limited to the ICS-20 smart contract on the Secret side, which is part of the Cosmos IBC connection between Secret and Axelar used to bridge assets from Axelar to Secret. The Axelar emergency committee immediately disabled the Secret and Secret-SNIP connections upon discovering the incident. The team is contacting relevant exchanges and law enforcement agencies. This incident is limited to assets bridged from Axelar to Secret via IBC. Other IBC connections or Secret tokens do not appear to be affected. Other Axelar integrations are unaffected. Axelar’s core protocol is unaffected.

Separately, according to Common Prefix’s analysis of the Secret Network incident, an attacker exploited an infinite minting vulnerability in a modified CW20-ICS20 token contract on Secret, stealing approximately $4.67 million. The attacker launched a new Cosmos chain (with only one validator) and self-relayed IBC packets to it, minting arbitrary Secret-wrapped Axelar assets on Secret. The contract did not verify which IBC channel the inbound tokens came from. The attacker exited via the Axelar bridge. The Axelar protocol was not compromised and prevented contagion from spreading to other chains.