exploit
Axelar shuts Secret IBC route after $4.67M forged-packet drain
Forged-packet attack on Secret's ICS-20 contract minted unbacked wrapped tokens, then redeemed them via the legitimate Axelar IBC channel. Caught June 17 when an escrow accounting check failed.
Axelar's emergency committee shut down the Secret and Secret-SNIP IBC connections on June 19 after disclosing that roughly $4.67M in bridged assets was drained from a Secret-side ICS-20 contract in a sequence of seven anomalous packets dated June 10. The shortfall was only caught June 17 — nine days after the attack — when a routine cross-chain transfer failed because the wrapped-asset escrow no longer covered it. Because Secret Network is privacy-by-default, the drain transactions themselves are encrypted on-chain, leaving forensics dependent on Axelar's escrow reconciliation rather than direct block-explorer evidence. Axelar's investigation summary and the connection shutdown were communicated through the protocol's incident channel and relayed by crypto.news and AMBCrypto on June 19.
What happened
The vulnerability sits in the Secret-side ICS-20 token contract used by the Cosmos IBC connection between Secret and Axelar's axelar-dojo-1 chain. According to the public account and on-chain forensics labeled by F12, the victim gateway is the verified Secret contract secret1yxjmepvyl2c25vnt53cr2dpn8amknwausxee83, which fronted channels 60 and 61 linking Secret to Axelar (Secret's IBC channel registry is published in the Secret Network IBC channel database).
Axelar's account of the attack:
- The attacker stood up a custom, single-validator Cosmos SDK chain under their own control.
- They opened a new IBC channel from that chain to the vulnerable Secret-side contract.
- They sent forged ICS-20 deposit packets through the new channel. The contract failed to validate the source channel and the denomination path against the legitimate Axelar route.
- The contract treated the forged packets as real deposits and minted unbacked wrapped tokens on Secret.
- The attacker then redeemed those unbacked wrapped tokens via the legitimate Axelar IBC channel, pulling out real assets from the escrow on the Axelar side.
The drain was not caught by Secret's encrypted ledger — by design, no observer could see the balance moving — but by Axelar's bookkeeping: when a later legitimate transfer tried to draw from the escrow, the escrow accounting did not balance, exposing the seven anomalous packets from June 10.
Mechanism — denomination-path forgery, not a key compromise
ICS-20 is the Cosmos IBC standard for fungible-token transfer. Its security model relies on each receiving chain checking that an incoming packet's source channel and denomination path trace back to a sender chain whose escrow can vouch for the asset. Drop that check and any chain you let through can mint your wrapped denom for free.
What Axelar describes is exactly that class of bug: the modified ICS-20 contract on Secret accepted packets from a channel that was not the canonical Axelar channel, then minted the corresponding wrapped denomination as if it were. The attacker did not need to compromise a validator key, sign a malicious proposal, or break Secret's privacy guarantees. They needed a Cosmos chain (cheap), an IBC channel (free to open), and a forged packet (trivial to construct).
The attacker then took the second leg through the real channel — wrapping the unbacked tokens into transferable assets and pulling escrow out the front door.
On-chain trail — what's traceable, what isn't
The Secret leg of the drain is opaque by protocol design. The post-Secret movement is not:
- Proceeds were routed through Osmosis, the Cosmos liquidity hub, to exit the IBC region.
- From Osmosis the funds were bridged to Ethereum and swapped to ETH on CoW Protocol, per the public summaries.
- The ETH was split across roughly 30 wallets, then deposited into KuCoin, ChangeNow and HitBTC.
We could not independently surface the Ethereum-side attacker addresses or specific deposit tx hashes — none have appeared in public Axelar bulletins at the time of writing. Anyone tracking on-chain should treat the Osmosis → Ethereum → CoW → CEX pattern as the established forensic chain and watch the published Axelar incident channel for address publication.
Numbers
- Total drained : ~$4.67M (Axelar incident summary)
- Anomalous packets identified : 7, all dated June 10, 2026
- Detection lag : 9 days (attack June 10 → discovery June 17)
- Victim contract (Secret) : secret1yxjmepvyl2c25vnt53cr2dpn8amknwausxee83
- IBC channels disabled : Secret + Secret-SNIP connections to axelar-dojo-1
(gateway fronts channels 60 / 61)
- Axelar core protocol affected : no — incident isolated to the Secret-side ICS-20 contract
- Other Axelar integrations : not affected
- Funds routed through : Osmosis → Ethereum (via bridge) → CoW Protocol → ~30 wallets
- Off-ramps : KuCoin, ChangeNow, HitBTC
USD figure and counts are per Axelar's public incident communication, relayed by crypto.news, The Merkle and AMBCrypto. The specific token mix taken — SCRT-wrapped variants vs USDC.axl vs AXL vs ATOM — has not been broken out publicly.
Skeptical attribution
No actor has claimed responsibility, and the encrypted Secret leg removes a normal source of clustering signal. The public technique — custom validator chain, forged ICS-20 packets, exit through Osmosis and CoW with a fan-out to common CEX off-ramps — is a known pattern in Cosmos-bridge exploits and does not by itself fingerprint a specific group. Until a sourced labeler (Chainalysis, TRM, Arkham, an OFAC filing) attaches a name to the Ethereum-side wallets, this is best read as an unattributed operator with working knowledge of ICS-20 internals.
Impact
- Users with assets in transit through the Secret connection at the time of the shutdown are stuck until Axelar and Secret coordinate a contract fix and re-enable the route, or migrate balances out manually. Neither party has published a recovery timeline.
- Axelar's general-message bridge (GMP) and non-Secret IBC routes continue to operate. The incident is, per Axelar, confined to the one Secret-side contract.
- Wrapped-asset escrow balances on the Axelar side are short by the drained amount. Any reimbursement will require Axelar Foundation or governance action; nothing announced at the time of writing.
- Cross-chain protocols running modified CW20-ICS20 forks on Secret or other CosmWasm chains are in scope for the same class of bug. The fix is the canonical ICS-20 source-channel and denomination-path check — code that already exists in the Cosmos SDK reference implementation.
What to watch
- The Secret-side patch. A corrected ICS-20 contract on Secret with strict source-channel and denomination-path validation is the prerequisite for re-enabling the route. Watch Secret's governance and the contract upgrade on its block explorer.
- Axelar's post-mortem. Axelar has committed to publishing a fuller analysis once the investigation closes. Expect specifics on the seven packets, the exit hashes on Ethereum, and the policy for restoring user funds.
- Exchange freezes. KuCoin, ChangeNow and HitBTC have all been notified per Axelar's public statement. Recovery depends on whether deposits cleared before the freeze requests landed.
- Audit re-scope on other Secret-side bridge contracts. Any other gateway on Secret using a forked CW20-ICS20 needs the same denomination-path check. A community audit list is the natural next artifact.
Context — second Cosmos bridge drain in three weeks
This is the second Cosmos-region bridge drain in under a month that we've covered. On May 30, Gravity Bridge — the validator-signed bridge between Ethereum and Cosmos SDK chains — was drained of about $5.4M in a suspected key compromise. That failure mode was operational: the bridge's signing authority was the weak point. The Axelar-Secret failure is structural: the Secret-side ICS-20 contract did not enforce the source-channel check that the canonical ICS-20 reference implementation does.
Different failure classes, same uncomfortable pattern. Cosmos's IBC stack is mature and well-specified, but every chain that lands ICS-20 ships its own contract code, and every fork that softens a check on the receiving side becomes a free-money bug waiting to be found. The protocol guarantees aren't the issue. The deployments on top of them are.
What other outlets missed
Most coverage led with the dollar figure and the "Axelar disables Secret connection" framing. The structurally interesting fact is the detection lag: nine days passed between the attack and discovery because Secret's privacy-by-default ledger denied investigators the normal signal — a visibly drained escrow contract. The drain only surfaced when an unrelated transfer hit an empty pot. For privacy chains hosting wrapped-asset bridges, this is the cost: stronger on-chain privacy weakens the public reconciliation that catches accounting bugs early. The Axelar side caught it through off-chain bookkeeping, not on-chain monitoring. That tradeoff deserves a louder conversation than "$4.67M stolen, route disabled."
Sources:
- crypto.news — Axelar shuts down Secret Network bridge routes after $4.7M exploit (June 19, 2026).
- AMBCrypto — Axelar disables Secret connection after $4.67M exploit hits IBC-linked assets.
- The Merkle — Axelar Confirms $4.67M Exploit on Secret Network Bridge, Core Protocol Remains Unaffected.
- BanklessTimes — Secret Network Bridge Exploit Drains $4.67M From Axelar Link (June 20, 2026).
- The Crypto Times — $4.67M Exploit Hits Axelar-Secret Network Bridge, Links Disabled (June 19, 2026).
- Secret Network IBC channel database.