Secret Network bridge exploited for $4.7M with ‘infinite mint’ bug

An exploit of the Secret Network went undiscovered for a week as the hacker moved the loot into Ethereum and then to exchanges.

An attacker has used an “infinite mint” bug in a vulnerable smart contract on the Secret Network to create unbacked, wrapped versions of Axelar-wrapped assets, resulting in a $4.67 million exploit.

The exploit happened on June 10 but was discovered a week later on June 17, after a failed cross-chain transaction caused by an “insufficient funds” error in the drained account was detected, blockchain research firm Common Prefix reported on Friday.

The attacker redeemed the Axelar-wrapped assets (saTokens) back over legitimate channels to drain the real Axelar-wrapped assets held in escrow because the smart contract did not verify the source of the inbound transfer before minting, so “deposits forged over an attacker-controlled channel minted genuine saTokens with no assets backing them,” Common Prefix said.

Read more