CYNTRI AIAutonomous DeFi
🔍SEARCH
THE BODY COUNT
HACK DATABASE·🔓

A Privacy Chain Got Robbed for $4.67M and Didn't Notice for Seven Days

Secret Network encrypts every balance by default. That is the entire product. So when an attacker minted $4.67 million in tokens backed by nothing, the missing money did not show up anywhere. The chain hid the theft from its own team for a full week. The privacy worked perfectly. That was the problem.

S
SYNTH·Hack Database
A Privacy Chain Got Robbed for $4.67M and Didn't Notice for Seven Days
Secret Network, a privacy chain that encrypts balances by default, lost $4.67M to an infinite-mint bug on June 10, 2026 - and because the missing collateral was invisible on-chain, nobody noticed for seven days

Secret Network sells one thing above all else: privacy. It is a Cosmos-based layer-1 that encrypts balances by default, so nobody can see what anyone holds. That is the pitch. That is the reason it exists. In June 2026 that exact feature let a $4.67 million theft hide in plain sight for seven days, because on a chain where nothing is visible, an empty vault looks exactly like a full one.

The bug was in a modified CW20-ICS20 token contract on the Secret side of a bridge connecting it to Axelar, the interoperability network. The contract's job was to mint Secret-wrapped versions of Axelar-bridged assets - tokens called saTokens, each one supposed to be backed 1:1 by a real asset held in escrow. saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, sawstETH. Every wrapped token was a claim on something real sitting in a vault.

The contract had one job and it skipped a step. It minted saTokens without verifying where the inbound transfer actually came from. So an attacker forged deposits over a channel they controlled, and the contract dutifully minted genuine saTokens with nothing behind them. Infinite mint. Free money that looked identical to real money. Then the attacker took those unbacked saTokens, redeemed them through Axelar's completely legitimate channels, and walked off with the real assets held in escrow.

CyntriAI
PREDICTIVE DEFI
Stop chasing yields across five chains.
Cyntri AI agents predict, execute, and rebalance your DeFi positions using advanced predictive models.
ETHSOLARBBASEOP
Read the Whitepaper
cyntriai.org
A Cyntri AI Project

This is where the privacy chain turned on itself.

The exploit happened on June 10. On a normal blockchain, a drained escrow account is visible. Anyone watching the on-chain balances sees the collateral vanish and raises the alarm. But Secret encrypts balances by default. The missing money did not show up on-chain because on Secret, no money shows up on-chain. The theft was cryptographically hidden by the same feature users pay for. The team did not know. Nobody knew.

It surfaced on June 17, and not because anyone caught the thief. A routine cross-chain transaction simply failed. The error was "insufficient funds." An account that was supposed to be full was empty. Investigators pulled the thread and traced the shortfall back seven days to a handful of suspicious withdrawals on June 10. The privacy chain only discovered it had been robbed when it tried to spend money that was no longer there.

The details got worse from there. Common Prefix, the research firm that analyzed it, found the flawed logic had been sitting in the code since 2023. It survived a March 2026 migration untouched. And Secret Network never requested an outside audit when the bridge was first built. A privacy protocol asked no one to check its most sensitive minting logic, then encrypted the evidence when that logic failed.

The attacker moved the stolen assets to Ethereum, swapped them into ETH through Osmosis and a DEX, split the haul across roughly 30 fresh wallets, and funneled it into exchanges including KuCoin, ChangeNow, and HitBTC. Standard laundering. Nothing exotic. They did not need to be clever, because the seven-day head start did the work.

Axelar confirmed the loss on June 19 and moved fast to contain it, disabling the Secret and Secret-SNIP connections within hours. But the company was firm on one point, repeated in every statement: neither Axelar nor the IBC protocol was compromised. The broken contract "was not developed, deployed, or maintained by Axelar." Axelar's firewalling kept the damage from spreading to other chains. All true, and all cold comfort to anyone holding saTokens on Secret, which the network warned "may be lost."

There was a recoverable piece. Secret Network said roughly $770,000 of the stolen funds still sat in the attacker's wallet on Axelar. Secret flagged it, called it recoverable, and asked the Axelar team to freeze it or coordinate a community freeze. Axelar decided not to pursue that request. The $770,000 stayed where it was.

SCRT, the native token, was never touched by the exploit and actually ticked up a few percent afterward. It also sits about 99% below its 2021 peak, which tells you how much the market was paying attention. The saToken holders absorbed the loss. The privacy held. The money did not.

The Aftermath

Axelar disabled the Secret and Secret-SNIP connections within hours of confirming the loss on June 19 and gave no timeline for restoring them, while coordinating with exchanges and law enforcement to trace the funds. The vulnerable contract was patched. Secret Network warned that holders of Axelar-bridged saXXX tokens may have lost their backing entirely. Roughly $770,000 remained recoverable in the attacker's Axelar wallet, but Axelar declined Secret's request to freeze it. The native SCRT token was never affected and actually rose slightly after disclosure, though it remains around 99% below its 2021 all-time high. The incident became a case study in how privacy-by-default can delay breach detection - the same encryption that protects users hid the shortfall until a failed transaction forced it into the open a week later.

LESSONS LEARNED

!Privacy by default cuts both ways. The same encryption that hides your balance from attackers also hid a drained escrow from the people who could have stopped the bleeding. Secret Network discovered it had been robbed only when it tried to spend money that was already gone.
!A wrapped token is a promise that a real asset sits in escrow. When the minting contract does not verify the source of a deposit, that promise is just a suggestion - and an attacker can print genuine-looking claims against a vault that was never funded.
!The flaw sat in the code since 2023, survived a migration, and was never checked by an outside auditor. A privacy protocol handling millions in bridged assets asked no one to review its most sensitive logic. The bug was not sophisticated. The negligence was.

COMMENTS

CMZ
END OF FILE
Filed under Hack Database