Axelar Network reports that its infrastructure and the Inter-Blockchain Communication protocol were not compromised during the $4.67 million exploit on Secret Network. A postmortem by Common Prefix identified the root cause as a vulnerable smart contract on Secret Network, which was a fork of the CW20-ICS20 implementation. Developers had removed two core security checks, creating an 'infinite mint' vulnerability that allowed unauthorized token creation without a new security audit.

The flaw enabled an attacker to forge IBC packets and redeem legitimate saTokens for seven assets, including saUSDC and saWBTC, through Axelar’s legitimate channel. Although the vulnerability originated in early 2023, it remained undetected until June 17 when an escrow shortfall was discovered. Axelar has disabled its Secret connections, confirming that its firewalling measures contained the incident within the affected contract.