How a Custom Code Flaw Cost Secret Network $4.67 Million

A detailed technical analysis by Common Prefix, a team specialized in blockchain science consulting services, reveals how a subtle but critical flaw in Secret Network’s custom IBC bridge contract enabled a $4.67 million infinite-mint exploit on June 10, 2026.

According to the detailed technical analysis, the vulnerability centered on a modified CW20-ICS20 smart contract deployed on Secret Network (secret-4) specifically for the Axelar connection. 

This contract handled inbound IBC transfers and minted privacy-preserving “Secret Axelar Wrapped Tokens” (saTokens) such as saUSDC, saUSDT, saWBTC, and others. Unlike standard IBC implementations, it failed to enforce proper source channel validation when processing packets.

What was the attack’s breakdown 

Common Prefix’s breakdown highlights that the contract was a fork of Secret’s SNIP-20 ICS-20 implementation, further customized for Axelar integration. In the do_ibc_packet_receive function, developers had commented out two essential checks:

• parse_voucher_denom(&msg.denom, &packet.src), which would have validated the denomination’s channel trace against the actual source of the packet.
• reduce_channel_balance(…), which would have limited token releases to amounts genuinely escrowed on that specific channel.

Without these validations, the contract accepted bare token denominations (those without a /port/channel prefix) from any IBC channel as long as they matched its allow-list. This made tokens arriving over an attacker-controlled channel indistinguishable from those arriving over the legitimate Axelar channel (channel-69 on Axelar ↔ channel-61 on Secret).

The Inter-Blockchain Communication (IBC) protocol relies on per-channel isolation. Tokens transferred across chains are escrowed on the source and represented by vouchers on the destination, with denomination paths ensuring they can only be redeemed over the originating channel. Opening new IBC channels is permissionless by design, allowing anyone to connect a new chain, run light clients, and transfer assets.

The attacker exploited this by spinning up a fake Cosmos chain with a single validator, opening a new IBC channel to Secret, and self-relaying forged IBC packets containing bare denominations that matched the allow list. The contract minted fully circulating supplies of unbacked saTokens. These were then redeemed over the legitimate Axelar IBC channel, draining the real escrowed assets on the Axelar side.

The affected contract (Code ID 2446 at secret1yxjmepvyl2c25vnt53cr2dpn8amknwausxee83) carried this flaw from its initial deployment in March 2023. A migration on March 5, 2026, updated the bytecode for new features but preserved the missing validation logic.

Exploit led millions in losses 

According to the analysis, approximately $4.67 million across saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH was drained. The impact was confined to Secret-wrapped Axelar assets on this specific IBC connection. Axelar’s core protocol, other channels, assets, and escrow accounts remained unaffected.

Axelar’s firewalling functionality detected the anomaly early and prevented broader contagion. The Emergency Committee disabled the Secret connection, Squid removed Secret support from its frontend, and the Secret team was notified to address the contract.

This incident, as dissected by Common Prefix, demonstrates the risks of customizing IBC token-handling contracts without maintaining strict channel and denomination validation. While IBC’s trust-minimized and permissionless design powers seamless interoperability across Cosmos chains, it demands precise implementation of accounting rules to prevent such exploits. The analysis serves as a valuable reference for teams building similar bridges.

Also Read: Weaponizing Web3: Congress Pivots Crypto Policy Toward National Security

Follow The Crypto Times on Google News to Stay Updated!