.png){kind=logo}
Secret Network has reported a $4.67 million loss after an attacker exploited a faulty token contract linked to assets bridged through Axelar. The breach began on June 10, 2026, but operators did not detect it until June 17, when a routine cross-chain transfer failed due to insufficient funds.
The attacker created false deposits, minted unbacked Secret Network tokens and redeemed them for real assets held in escrow. Secret Network and Axelar agree that the incident affected a contract on the Secret side. However, the two projects have offered different accounts of where responsibility rests.
Blockchain research firm Common Prefix traced the attack to a modified CW20-ICS20 token contract. The contract handled Axelar-linked assets on Secret Network. Investigators said it failed to confirm the source channel of incoming transfers before issuing wrapped tokens.
This gap allowed the attacker to use a controlled communication channel and submit deposits that appeared valid. The contract then minted saTokens without matching collateral. The attacker redeemed those tokens through normal bridge routes and withdrew genuine assets from escrow.
The fake tokens looked identical to properly backed assets inside the system. This allowed the attacker to use standard redemption steps instead of directly breaking Axelar validators or the wider IBC protocol. The method turned a local contract flaw into a cross-chain loss.
Affected tokens included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH. The attacker later moved the funds through Osmosis to Ethereum, exchanged much of the value for Ether through CoW Protocol and split the proceeds across about 30 wallets.
The exploit stayed hidden for seven days. It surfaced only after a separate transfer on June 17 produced an insufficient-funds error in the account holding bridged assets. Researchers then reviewed earlier transactions and linked the missing funds to the June 10 attack.
Common Prefix said two checks used to verify transfer sources had been removed when the contract changed from a custody model to a minting model. Reports also state that the contract had not received an outside audit since its deployment in early 2023.
Secret Network said Axelar’s bridge system ‘failed to trigger effective anomaly detection or an emergency pause’ before the funds left. This claim remains disputed. Axelar said its core network and the Inter-Blockchain Communication protocol were not breached, adding that the faulty contract was not built or maintained by Axelar.
Secret Network warned holders that affected Axelar-bridged saTokens ‘may no longer be fully backed.’ It also said the native SCRT token was not involved. Users holding the listed assets face uncertainty while the projects review balances and recovery options.
Axelar disabled the relevant connections after confirming the loss. It said the incident was limited to the Secret-side contract and did not affect other IBC links. The team also said it was working with exchanges and law enforcement to trace the stolen funds.
Some assets reached KuCoin, ChangeNow and HitBTC, while about $672,000 reportedly remained in an Axelar-linked attacker wallet. Secret Network said it asked Axelar to freeze the address, but Axelar reportedly declined. Neither side has announced a full recovery plan or confirmed how losses will be allocated.
Also Read: Crypto News Today: JINX-0164 Hackers Use Fake Meeting Links to Target Crypto Developers
