How Did The Axelar-Secret Bridge Exploit Happen?
An attacker drained roughly $4.67 million from Secret Network’s Axelar bridge after exploiting a flaw in a modified bridge contract that handled assets moving from Axelar to Secret Network.
The attack targeted a modified CW20-ICS20 contract on Secret Network. The contract was designed to mint Secret-wrapped versions of Axelar-wrapped assets, known as saTokens, when tokens moved through the bridge. But the contract did not properly check which channel an inbound transfer came from. That missing validation allowed the attacker to forge deposits and mint Secret-wrapped tokens with no real assets backing them.
The attacker used a single-validator Cosmos chain, opened an IBC channel to the bridge contract, and relayed forged packets carrying token denominations that matched the contract’s allow-list. Because the contract could not distinguish those denominations from transfers arriving through Axelar’s legitimate channel, it minted saTokens against fake deposits. The attacker then redeemed those balances through the real Axelar channel and withdrew actual tokens from escrow.
The drain affected seven Secret-wrapped tokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. The vulnerability had existed since the contract’s initial deployment in early 2023 and remained in place after a March 5 migration that updated the contract for new features.
Why Did The Attack Stay Hidden For Seven Days?
The June 10 exploit went undetected until June 17, when a normal cross-chain transfer failed because the Axelar escrow account no longer held enough assets to complete it. Investigators then traced the missing collateral back to seven withdrawals made a week earlier.
The delay highlights a specific risk for encrypted networks. Balances on Secret Network are encrypted by default, so the missing collateral was not visible in the same way a drained liquidity pool would be on a public Ethereum-based system. That reduced the chance of quick detection through normal on-chain monitoring.
Secret Network said the bridge contract had been adapted from an escrow model to a mint model for the Axelar integration and that two functions that would have validated the source of a transfer were removed in that rework. The team also said no external audit was requested by Axelar as part of the integration.
Secret Network argued that no effective monitoring, anomaly detection, or emergency pause mechanism halted the unusual transfers before the bridge assets were substantially drained. Axelar has pushed back on any reading that places the failure on its core protocol, saying neither Axelar nor IBC was compromised and that the exploited token smart contract was not developed, deployed, or maintained by Axelar.
Investor Takeaway
The exploit shows how cross-chain risk can sit outside the core bridge protocol. A modified token contract, weak channel validation, and limited monitoring were enough to turn a local integration flaw into a multi-million-dollar asset drain.
What Happened To The Stolen Funds?
After the exploit, the attacker moved stolen assets to Axelar, routed them through Osmosis using automated packet forwarding, then bridged them to Ethereum. Most of the assets were swapped for ether through CoW Protocol before being split into roughly 30 transfers to fresh wallets and sent to deposit addresses at KuCoin, ChangeNow, and HitBTC.
Axelar’s emergency committee disabled the Secret and Secret-SNIP connections after the issue was discovered. Cross-chain router Squid also removed Secret Network from its frontend. Axelar said its core protocol was not affected and that no other chains, channels, or escrow accounts were touched.
Secret Network said about $770,000 of the stolen funds remained in the attacker’s Axelar wallet at the time of its forum post and that it asked Axelar to freeze the assets or work with the community to do so. Secret said Axelar decided not to pursue that request. Later wallet data showed about $672,000 still sitting in the attacker’s Axelar wallet, including WBTC, USDC, WBNB, and AXL.
Axelar said it is coordinating with exchanges and law enforcement but has not provided a timeline for restoring the affected connection. That leaves users and protocols exposed to uncertainty over recovery, bridge reopening, and any future contract migration.
Investor Takeaway
For investors, the main issue is not only the size of the loss. It is the recovery process. The dispute over freezing remaining assets shows how cross-chain incidents can turn into governance and coordination problems after the technical failure is contained.
Why This Matters For Cross-Chain Infrastructure
The Secret Network incident adds to a wider run of cross-chain exploits in 2026. In April, an attacker drained about $292 million in rsETH from Kelp DAO’s LayerZero-based bridge, an incident that affected liquidity across DeFi before a recovery effort helped contain the damage.
The latest exploit is smaller in dollar terms, but it raises similar questions about bridge architecture, integration review, and operational monitoring. Cross-chain systems now secure enough value that contract-level assumptions can become market-level risks. When a bridge contract mints wrapped assets without strict source validation, the damage can move quickly from a technical bug to real asset losses.
The incident also shows why encrypted networks require different monitoring assumptions. Privacy-preserving design can protect users, but it can also make collateral shortfalls harder to see until withdrawals fail. That creates a harder trade-off for protocols trying to combine privacy, cross-chain liquidity, and institutional-grade risk controls.
For Axelar, the response depends on separating its core protocol from the custom contract that failed. For Secret Network, the priority is restoring confidence in the integration process and showing that future bridge contracts have stronger validation, monitoring, audits, and emergency controls.
The broader message for DeFi is clear: bridge security is no longer judged only by whether the base messaging protocol works. Investors, exchanges, and protocols are also watching contract modifications, deployment history, audit scope, pause mechanisms, and how quickly teams respond when hidden collateral gaps surface.
