Key Highlights
- Axelar reported a security exploit involving approximately $4.67 million in bridged assets on Secret Network.
- The vulnerability targeted the Secret-side ICS-20 smart contract used for IBC transfers from Axelar.
- The emergency committee disabled Secret and Secret-SNIP connections to prevent additional unauthorized transfers.
Axelar, a decentralized interoperability network, has disclosed a security incident involving approximately $4.67 million worth of tokens bridged via IBC to the Secret Network. The exploit specifically targeted assets transferred from the Axelar chain to Secret Network, marking another breach in the growing cross-chain interoperability sector.
In a detailed X post on Friday, the network stated that the vulnerability was isolated to the Secret-side ICS-20 smart contract within the Cosmos IBC connection between Secret and Axelar. This contract handles assets bridged from Axelar to Secret. The issue did not affect Axelar’s core protocol, other IBC connections, or native Secret tokens.
The Axelar emergency committee acted upon the discovery of the incident. They immediately disabled both the Secret and Secret-SNIP connections to prevent any further unauthorized transfers. The team is now actively coordinating with relevant exchanges and law enforcement agencies to track the stolen funds and support recovery efforts.
“This incident is isolated to assets on Secret that were bridged over IBC from Axelar,” Axelar emphasized. “No other Axelar integrations or IBC connections appear to be impacted.” The company also confirmed that its broader infrastructure remains secure and operational.
The Crypto Times team contacted Axelar for a comment on the exploit but hasn’t received one at the time of posting this.
Victim contract identified in the attack
According to on-chain forensics F12, the primary victim contract is secret1yxjmepvyl2c25vnt53cr2dpn8amknwausxee83, one of the verified gateways for channels 60/61 connecting to Axelar’s axelar-dojo-1 chain.
The security firm also identified two related contracts: secret1nvytjz7t5wakf0ra5y47dfenatwxpggmkwc5ru and secret1e2lwttdwnpxpg6hudplfl54pdx4404nm54mj8r. Because Secret Network is a privacy-focused blockchain, transaction details and balances are encrypted, making the exploit transaction invisible on-chain.
Persistent risk in DeFi industry
This incident serves as a reminder of the persistent risks in decentralized finance (DeFi) and cross-chain infrastructure. Bridge exploits have historically accounted for some of the largest losses in the industry, often targeting smart contract weaknesses or oracle manipulations.
2026 has been a brutal year for DeFi security. In April alone, losses exceeded $600 million. The two largest attacks were KelpDAO (around $292 million) on April 18 via a cross-chain bridge exploit involving fake messages and Drift Protocol ($295 million) on April 1 through sophisticated social engineering and key compromise by North Korean hackers (Lazarus Group).
These incidents, along with dozens of smaller exploits, pushed total DeFi losses well over $800 million by mid-2026, highlighting persistent vulnerabilities in bridges, access controls, and operational security.
Users are advised to exercise caution when bridging assets, especially to privacy-focused chains, and to monitor official channels for updates.
Also Read: Murad Mahmudov’s Memecoin Portfolio Drops 83% From $67M Peak
