Security Breach on the Secret Network
On June 10, a significant security breach took place on the Secret Network, resulting in the theft of approximately $4.67 million. This incident went unnoticed for a week, until June 17, when a failed cross-chain transaction revealed the underlying issues by triggering an “insufficient funds” alert.
Details of the Exploit
During this exploit, malicious actors took advantage of a vulnerability in a custom smart contract, allowing them to mint unbacked versions of wrapped assets called saTokens, which were then converted into real assets that were secure in escrow trusts.
A blockchain analysis firm, Common Prefix, found that the exploit stemmed from a flaw in the smart contract designed to manage these tokens. Specifically, the contract inadequately verified the source of incoming transfers, enabling the attacker to generate seemingly legitimate assets on the Secret Network without any actual collateral backing them.
Using a communication channel under their control, the perpetrator was able to send falsified deposits and issue these fraudulent saTokens, which were mistaken for fully secured tokens.
Impacted Assets
The particular assets affected included:
- saUSDT
- saUSDC
- saDAI
- saWETH
- saWBTC
- saWBNB
- sawstETH
Once the fraudulent tokens were acquired, the hacker managed to bridge them to the Ethereum blockchain, convert them into Ethereum (ETH), and subsequently distribute them across roughly 30 different digital wallets in an attempt to obscure the trail of stolen funds. Some of these assets eventually surfaced on various cryptocurrency exchanges, such as KuCoin, ChangeNow, and HitBTC.
Significance of the Breach
This breach is now recognized as one of the most significant crypto security breaches in the month of June, joining over 20 other protocol exploits reported by DeFiLlama. While the Humanity Protocol hack stands as the largest of the month, with losses nearing $32 million, and the Syscoin Bridge incident caused about $8 million in damages, the Secret Network exploit is certainly among the most impactful.
Aftermath and Warnings
In the aftermath of the breach, Secret Network cautioned users with Axelar-bridged saTokens that their assets might no longer have the full backing they originally had, posing a substantial risk of loss. The platform clarified that its native token, SCRT, remained unaffected by this exploit.
Additionally, Axelar released assurances that their network and the Inter-Blockchain Communication (IBC) protocol were not compromised as the vulnerability existed solely within a third-party token contract, which was not created or managed by them.
