Seasons
Leaderboard
News
Learn
Research
Ranking
Ecosystem
Wallet

Secret Network’s $4.67M Bridge Heist Started With One Missing Check

profile-mehjabeen-arsiwala
Mehjabeen Arsiwala1 hour ago
#Hackers#Secret Network
Secret Network’s $4.67M Bridge Heist Started With One Missing Check

An attacker drained roughly $4.67 million from a Secret (SCRT) bridge tied to Axelar (AXL), exploiting a flawed contract that minted unbacked tokens out of nothing.

Key Points:

  • A flawed Secret Network contract let an attacker mint unbacked tokens, draining about $4.67 million.
  • The theft stayed hidden for seven days until a failed transfer exposed the empty escrow.
  • Axelar disabled the affected connections and said its core protocol was never touched.

Secret Network Bridge Loses Millions

The theft began on Jun. 10 yet went unnoticed for seven days, since Secret encrypts balances by default and the missing collateral never showed on chain. It surfaced only on Jun. 17, when a routine cross-chain transfer failed because the escrow account had run dry. Investigators then traced the shortfall back to seven suspicious withdrawals made on the opening day.

Axelar confirmed the loss on Jun. 19 and disabled the affected Secret and Secret-SNIP connections within hours, while stressing that its core protocol was never touched. The team said it has contacted exchanges and law enforcement to trace the funds, about $672,000 of which still sits untouched in the attacker's main wallet.

Also Read: Bitcoin ETF Exodus Hits Record $6.35B, But Panic Selling May Be Cooling

Infinite-Mint Flaw Fooled The Contract

The vulnerable contract minted Secret-wrapped copies of bridged assets but never verified which channel a deposit truly came from, matching only a token's name against an approved list.

Research firm Common Prefix published a postmortem mapping how that single gap unraveled. Because the network hides transfers by default, tracing the attacker proved far harder than it would have on a fully transparent public ledger.

To exploit it, the attacker spun up a chain with one validator, opened an unauthorized channel, and self-relayed forged packets carrying token names lifted straight from the allow-list.

The contract accepted them and minted real, redeemable tokens with nothing whatsoever behind them.

Redeeming those fakes through the genuine channel then emptied the escrow across seven wrapped assets. The flaw was not new, and the firm reported that the same logic had sat in the code since 2023 and survived a March 2026 migration. Secret added that no outside audit was requested when the bridge was first built.

Cross-Chain Bridges Stay Exposed

The stolen funds moved through Osmosis, swapped into Ether (ETH) on a decentralized exchange, and scattered across dozens of fresh wallets before finally reaching three centralized exchanges. The broader market response stayed muted, with Axelar's token slipping about 2.2% on the day and Secret holding nearly flat.

Still, the loss extends a brutal year for cross-chain infrastructure. Bridges built on similar lock-and-mint designs remain the most exploited surface in crypto, with comparable flaws costing more than $340 million across the industry in 2026. The toll includes a $25 million breach at Resolv, an $11 million loss at Verus, and a $4 million hit to IoTeX.

Read Next: JaredFromSubway Bot Loses $7.5M After Taking Its Own Bait

Disclaimer and Risk Warning: The information provided in this article is for educational and informational purposes only and is based on the author's opinion. It does not constitute financial, investment, legal, or tax advice. Cryptocurrency assets are highly volatile and subject to high risk, including the risk of losing all or a substantial amount of your investment. Trading or holding crypto assets may not be suitable for all investors. The views expressed in this article are solely those of the author(s) and do not represent the official policy or position of Yellow, its founders, or its executives. Always conduct your own thorough research (D.Y.O.R.) and consult a licensed financial professional before making any investment decision.
Related News
Verus-Ethereum Bridge Bleeds $11M In Fresh Cross-Chain Attack
May 18, 2026
A Verus-Ethereum (ETH) bridge attacker drained 103.6 tBTC, 1,625 ether and 147,000 USD Coin (USDC) on Monday, swapping the haul for over $11 million.
Alephium Says Off-Chain Flaw, Not Stolen Keys, Opened $815K Breach
Jun 01, 2026
A cross-chain bridge linking the Alephium (ALPH) network to Ethereum (ETH) and BNB Chain lost roughly $815,000 in about seven minutes after attackers
Aztec Connect Loses $2.1M In Exploit Of Zombie Contract Frozen For 3 Years
Jun 15, 2026
An attacker drained more than $2.1 million from Aztec Connect on Jun. 14, exploiting a verification flaw in a privacy protocol that shut down three ye
Syscoin Halts Bridge After Exploit Spawns 5B Unauthorized SYS
Jun 08, 2026
Syscoin (SYS) paused its cross-chain bridge after an attacker exploited a validation flaw and minted roughly 5 billion unauthorized tokens. Key Point
Hyperbridge Exploit Losses Hit $2.5M, Ten Times The Initial Estimate
Apr 16, 2026
Hyperbridge now estimates losses from this week's cross-chain bridge exploit at roughly $2.5 million, more than ten times its original figure of $237,
Related Research Articles
Cross-Chain Bridges Keep Getting Drained, So Why Does Everyone Still Use Them?
Jun 01, 2026
Cross-chain bridges move billions of dollars every week. They connect blockchains that were never designed to talk to each other. They are also, cons
Biggest Crypto Exploits Of 2025–2026: What Really Went Wrong
Mar 23, 2026
Crypto hacks in 2025 and early 2026 exceeded every prior annual record by dollar value, with losses reaching as high as $3.4 billion across a landscap
Web3's Security Crisis In 2026: Why The Biggest Hacks Are No Longer Just Smart-Contract Bugs
Apr 10, 2026
The crypto industry lost a record $3.4 billion to hacks in 2025, yet the defining story is not about buggy Solidity code. It is about compromised deve
Claude Mythos And Crypto: What The New AI Threat Means For Trading
Apr 15, 2026
Anthropic revealed Claude Mythos Preview on Apr. 7, 2026, as the most powerful AI model it has ever built, and the first it has explicitly refused to
Why DEX Exploits Cost $3.1B in 2025: Analysis of 12 Major Hacks
Oct 27, 2025
Lately the cryptocurrency world witnessed another devastating lesson in the fragility of decentralized finance. BunniDEX, a promising decentralized
Related Learn Articles
How Crypto Bridges Actually Work - And Why They Keep Getting Hacked
Apr 07, 2025
The blockchain revolution has ushered in a new era of decentralized systems, where independent networks like Ethereum, Solana, Avalanche, and Bitcoin
What are Rug Pulls and How to Spot It: 7 Critical Red Flags
Apr 15, 2025
Сryptocurrency has revolutionized financial possibilities with its promise of decentralization, democratized access, and borderless transactions. Howe
7 Warning Signs Of Crypto Fraud That The $17B Scam Industry Hopes You Miss
Mar 16, 2026
Cryptocurrency scammers stole an estimated $17 billion in 2025, according to Chainalysis, while the FBI recorded $9.3 billion in reported U.S. losses
Protect Your Crypto Exchange Account: Advanced Security Strategies Explained
May 19, 2025
Social engineering has become the leading threat in the cryptocurrency ecosystem, targeting human behavior instead of technical flaws to breach securi
Ethereum's Kohaku Framework Explained: How 2025's Privacy Upgrade Changes Wallet Security
Nov 20, 2025
Ethereum has long harbored a paradox that sits at the core of its identity: a network built on transparency that increasingly leaves its users exposed
Secret Network’s $4.67M Bridge Heist Started With One Missing Check | Yellow.com