Axelar Network responds to security incident, vulnerability stems from third-party token contract

Axelar Network released a statement stating that Axelar Network and IBC protocol have not been attacked, and the affected token smart contracts were not developed, deployed, or maintained by Axelar Network. The exploited contract is a forked version of CW20-ICS20, where the developer removed two core security checks resulting in an "infinite casting" vulnerability. This fork changes the original trust model of the contract and has not undergone security auditing. Axelar Network stated that this incident is not a unique logical flaw or IBC protocol issue, but rather a security risk introduced after third-party contract modifications.