Secret Network Bridge Loses $4.67M to Five-Year-Old IBC Validation Flaw

Published by James Harris on

Secret Network Bridge Loses $4.67M to Five-Year-Old IBC Validation Flaw — Stablecoins

What You Need to Know

  • Attacker drained $4.67 million from Secret Network by exploiting a flawed smart contract on June 19.
  • Vulnerable contract failed to verify incoming IBC transfers originated from authentic channels or stayed within escrow balances.
  • Same validation flaw persisted through public commits since 2023 and a March 2026 migration.
  • Cross-chain bridges have collectively lost billions to similar validation failures across dozens of incidents since 2021.

The same flaw that has ended dozens of bridge protocols since 2021 surfaced again on June 19: an attacker drained $4.67 million from Secret Network by exploiting a modified CW20-ICS20 smart contract used to process incoming IBC transfers from Axelar, according to Axelar’s statement and a post-mortem from blockchain security firm Common Prefix.

The mechanics were straightforward in the worst way. The attacker spun up a minimal Cosmos blockchain with a single validator, opened a fresh IBC channel directly to Secret Network, and sent fabricated deposit packets through it. The vulnerable contract on Secret’s side never checked whether incoming transfers originated from an authentic Axelar-controlled channel, and never verified that redemption requests stayed within available escrow balances. It accepted any packet with a whitelisted token ID. The attacker minted unbacked wrapped tokens, then redeemed them through the legitimate Axelar mechanism, emptying the actual escrow. Common Prefix traced the missing validation logic back to public commits from 2023, and said a March 2026 migration carried the same gap forward. This is not a novel attack surface: the Syscoin bridge minted roughly five billion unauthorized SYS tokens in June through a comparable validation failure, and cross-chain bridges have collectively lost billions across repeated incidents of this type.

The flaw survived at least three years of public development because the contract assumed upstream components would handle authentication. That assumption held until someone decided to test it.

Recovery here is structurally messier than in a typical bridge exploit. Secret Network encrypts balances and transfers by default, which means the attacker’s wallet and transaction history are not visible through standard block explorers, and the stolen assets span seven tokens including wrapped USDC, USDT, DAI, WETH, WBTC, WBNB, and wstETH. Axelar said it disconnected the relevant IBC connection immediately and is contacting exchanges and law enforcement, but users who held wrapped Axelar-bridged assets on Secret cannot redeem them through that route while the escrow accounts remain empty. The smart contract design problem at the center of this, where pre-funded escrow accounts back wrapped tokens with no enforcement on who can trigger a redemption, keeps recurring because IBC’s composability makes it easy to build these systems quickly and hard to audit every channel assumption.

Axelar confirmed its core protocol and other IBC connections were not affected, and the $4.67 million figure is small relative to the largest bridge incidents. But the pattern across 2026 suggests the industry has not internalized the lesson that cross-chain message authentication requires explicit verification at every contract layer, not delegation to whatever sits upstream.

Source: Axelar-bridged tokens worth $4.67 million drained in Secret Network contract exploit (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

News

Mashinsky Banned From CFTC Markets After Coordinated Four-Agency Enforcement

Alex Mashinsky is permanently banned from CFTC-regulated markets following a fraud case spanning conduct from 2018 to 2023, making him the only crypto executive sanctioned by four federal regulators simultaneously. The DOJ sentenced him to 12 years, while the FTC secured a $4.72 billion judgment and the SEC continues its civil suit over unregistered securities offerings.

News

MGX Moves From Minority Stakes to Direct Control With DayOne Acquisition Bid

Abu Dhabi's MGX is in preliminary talks to acquire Singapore-based data center operator DayOne, marking its first outright acquisition in Asia and shift from minority stakes to direct infrastructure ownership. The move reflects MGX's accelerating strategy to control physical compute capacity across the AI value chain, with the firm aiming to deploy over $100 billion globally.

News

Japan Commits $65.1B to Industrial AI as Working-Age Population Shrinks 15M

Japan's government committed 10.5 trillion yen toward physical AI across 17 sectors by 2040, signaling that industrial automation is now a macroeconomic survival strategy. With Japan losing 15 million working-age people over two decades and already exporting 38% of the world's industrial robots, the nation is doubling down on automation momentum to offset severe demographic decline.

Exit mobile version