Secret Network bridge exploited for $4.7M with ‘infinite mint’ bug
An attacker has used an “infinite mint” bug in a vulnerable smart contract on the Secret Network to create unbacked, wrapped versions of Axelar-wrapped assets, resulting in a $4.67 million exploit.
The exploit happened on June 10 but was discovered a week later on June 17, after a failed cross-chain transaction caused by an “insufficient funds” error in the drained account was detected, blockchain research firm Common Prefix reported on Friday.
The attacker redeemed the Axelar-wrapped assets (saTokens) back over legitimate channels to drain the real Axelar-wrapped assets held in escrow because the smart contract did not verify the source of the inbound transfer before minting, so “deposits forged over an attacker-controlled channel minted genuine saTokens with no assets backing them,” Common Prefix said.