Catenaa, Tuesday, June 23, 2026- Secret Network has suspended its bridge connection to Axelar after attackers exploited a long-standing smart contract vulnerability to steal approximately $4.67 million in wrapped assets, exposing fresh weaknesses in cross-chain infrastructure that remains one of decentralized finance’s most vulnerable sectors.
The exploit, which reportedly ran undetected from June 10 to June 17, allowed attackers to mint unbacked tokens and redeem them for legitimate assets held in bridge escrow accounts. The breach affected seven Axelar-wrapped assets and prompted emergency actions from both Secret Network and Axelar.
The incident also triggered renewed debate over accountability within decentralized bridge ecosystems, with both projects emphasizing that the vulnerability originated within infrastructure outside their direct control.
Security researchers traced the exploit to a modified CW20-ICS20 smart contract deployed on Secret Network as part of its integration with Axelar.
According to technical analysis published by security firm Common Prefix, two critical validation mechanisms had been removed from the contract’s packet verification process.
One missing check should have verified that incoming token denominations originated from legitimate communication channels. Another should have ensured token redemptions could not exceed assets actually held in escrow.
Without those safeguards, attackers were able to create unlimited quantities of wrapped assets.
The vulnerability reportedly dates back to the contract’s original deployment in March 2023 and remained active through a subsequent upgrade in March 2026.
To exploit the flaw, the attacker launched a Cosmos SDK blockchain controlled by a single validator and established a new Inter-Blockchain Communication (IBC) connection to Secret Network.
Because IBC channel creation is permissionless, the connection itself did not trigger alarms.
The attacker then transmitted forged cross-chain messages containing approved token identifiers. With verification safeguards missing, the contract accepted the messages and minted new wrapped tokens without requiring corresponding collateral.
Those newly created assets were subsequently redeemed through legitimate Axelar channels for real tokens locked in escrow.
The process effectively transformed counterfeit assets into genuine ones.
The attack drained seven Axelar-wrapped assets from the bridge ecosystem.
The affected tokens included wrapped versions of USDT, USDC, DAI, Ethereum, Bitcoin, BNB and liquid staking token wstETH.
Investigators have traced portions of the stolen funds through multiple blockchain ecosystems, including Osmosis and Ethereum.
Approximately $600,000 of the affected assets were reportedly connected to users of Shade Protocol, although the protocol itself was not directly compromised.
Following disclosure of the breach, Axelar’s Emergency Committee suspended bridge connections involving Secret Network.
Cross-chain routing platform Squid also removed Secret Network support from its interface.
Both Secret Network and Axelar said they are coordinating with exchanges, blockchain analytics firms and law enforcement agencies in an effort to track and potentially recover stolen assets.
The two organizations issued a joint disclosure regarding the incident but have not yet released a comprehensive post-mortem report.
The incident has exposed ongoing challenges regarding responsibility in multi-chain infrastructure.
Axelar stated the exploited smart contract was developed, deployed and maintained outside its direct control and emphasized that the vulnerability was isolated to the Secret-side implementation.
Secret Network acknowledged that the flaw existed within contracts associated with the bridge integration.
The dispute highlights a recurring challenge in decentralized ecosystems where multiple parties contribute to infrastructure but responsibility becomes less clear when failures occur.
The exploit serves as another reminder that cross-chain bridges remain one of the highest-risk components of decentralized finance.
Bridges routinely manage large pools of locked assets while relying on complex smart contracts, relayers and messaging systems spread across multiple blockchains.
Historically, bridge-related attacks have accounted for some of the largest losses in cryptocurrency history, including exploits affecting Ronin, Wormhole, Harmony Horizon and Multichain.
The Secret-Axelar incident differs from many previous bridge hacks because the attack did not rely on compromised keys or validator manipulation. Instead, it exploited fundamental contract logic failures that remained hidden for years.
Cross-chain bridges allow assets to move between otherwise separate blockchain networks. The process typically involves locking tokens on one chain while issuing wrapped representations on another. These systems are essential for liquidity movement across decentralized finance ecosystems but introduce additional technical risks compared with single-chain applications.
Secret Network is a privacy-focused blockchain built within the Cosmos ecosystem, while Axelar operates cross-chain communication infrastructure linking dozens of blockchain networks. The latest exploit underscores growing industry concerns that even mature bridge architectures remain vulnerable to overlooked smart contract flaws, particularly when integrations span multiple teams, codebases and security assumptions.
