Axelar (AXL)

액셀라 네트워크 "보안 사고, 제3자 토큰 계약 무한 발행 취약점 탓"

https://t.co/yuqlijzjC6 https://t.co/WDeRkWgewK

우리가 이러한 프라이버시 프로토콜에서 얻은 유일한 유용성은 악용자에게 자금이 어디로 가는지 모르는 상태에서 불법 자금을 전송할 수 있는 접근 권한을 제공하는 것입니다 (거의 대부분의 경우) 😭😂

요약하면, 우리는 실제 사용자가 아니라 악용자를 위해 프라이버시 기술을 구축했습니다. Aztec 프로토콜 익스플로잇, Zcash 취약점, 불법 행위자 자금 때문에 Circle이 압류한 Zama 계약, 그리고 현재의 Axelar 사례를 살펴보세요.

The Secret post-mortem is out. The real story: the people who modified that bridge didn't understand how its own authentication worked. No outside auditor was ever asked to check it. And for three years, no attacker understood it either. The bridge held until (my bet) an AI finally read the contract and saw what every human had missed.

The miss is almost dumb in hindsight. The contract started as an escrow bridge, a coat check: it only ever hands back a coat someone checked in earlier, so "is this deposit real?" was answered for free by the ticket logic.

Then it was forked to mint Axelar tokens instead. Minted tokens were never checked in, so the ticket logic didn't fit and got deleted. Whoever did that didn't realize those exact functions were the only thing verifying which chain a deposit came from. The Allow List that replaced them checked which token could be minted, never its source.

So the door was open from January 2023. Then someone spun up a fake chain, named a real asset like USDT, and minted $4.67M out of nothing.

The lesson isn't really about Secret. For three years, finding this took a human willing to read the whole contract, and nobody did. That barrier is gone. An AI reads all of it, closely, for cents. So if your contract is public and hasn't been through an AI audit, assume the attacker's AI is already reading it. Audit yours first.