An exploit using an infinite-issuance bug in a vulnerable Secret Network smart contract stole funds worth $4.67 million, Cointelegraph reported on Sunday. The hack occurred on June 10 but was not discovered until June 17, a week later.

Common Prefix, a blockchain research firm, said an anomaly was detected after a cross-chain transaction failed with an "insufficient balance" error from the account from which funds were drained.

The attacker exploited a flaw in which the smart contract did not verify the source of inbound transfers before minting. It issued fake saTokens without real assets through a channel controlled by the attacker. The Axelar-wrapped assets, known as saTokens, were then exchanged via a normal channel for real Axelar-wrapped assets held in escrow, allowing the attacker to withdraw funds.

The stolen assets included saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH.

Common Prefix said the attacker moved the stolen assets to Ethereum, converted them to ether, and then split them across about 30 wallets before depositing them to exchanges including KuCoin, ChangeNOW and HitBTC.

Secret Network said, "If you hold Axelar bridge saXXX tokens on Secret, the collateral backing those tokens has been impacted and funds may have been lost." Secret's native token SCRT was not affected by the incident, but is trading at $0.058, down 99 percent from its 2021 peak.

Axelar said, "Neither Axelar nor IBC was compromised." It said the exploited token smart contract was not developed, deployed or managed by Axelar, and that the Axelar firewall prevented the damage from spreading to other chains.