Skip to main content
Sign in
Syscoin Bridge1 decision on this page

Audit log

Every state-changing event for Syscoin Bridge: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-14 17:12:58Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 426,459,475
    sig
    2F5RCzBjDvxF…v33N6b4uexplorer ↗
    hash
    8QoP3J73bTC3…SDALngh5sha256 → base58
    verifying row…full verify ↗
    canonical bytes (16292 B) ▸
    {"actor":"system:backfill","investigation_id":"b678fb7e-aebd-4836-866a-b453c020a4ab","kind":"publish","page_slug":"syscoin-bridge","published_at":"2026-06-14T17:12:58.347Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Syscoin Bridge","sections":[{"content":"On June 7, 2026, an attacker exploited a parsing error in the Syscoin bridge relay's Simplified Payment Verification (SPV) proof validation logic. The bridge connects Syscoin's UTXO chain to its NEVM (Network Enhanced Virtual Machine) EVM layer by requiring a verified burn transaction on the NEVM side before authorizing a mint on the UTXO side. The attacker crafted a malformed SPV proof designed not to be cryptographically valid, but to be misread as valid by the relay's parsing code. The relay accepted the fraudulent proof and authorized the creation of approximately 5 billion SYS on the UTXO chain without any corresponding burn on the NEVM side, effectively minting uncollateralized tokens. The initial unauthorized output was sent to address sys1qgaelv690g7wwp2xchfdh0enf5uewzq5sm9wvcw (transaction a5b422abbbd89c8e316d1990f696e030d610cb527001ff97524f5317e87fa184), then immediately moved and split across two wallets: sys1q2k482wnachkgky4lw60973p4vcf7xlh9kzpv33 (approximately 4 billion SYS) and sys1qx6jjkq89sdaxftfgre3m0nv7vjfd4jeakg5t38 (approximately 1 billion SYS). The estimated value at time of mint was approximately $8.56 million based on SYS trading at $0.00171187.","heading":"Exploit Overview","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin — Rekt News","type":"news_article","url":"https://rekt.news/syscoin-rekt"},{"credibility":2,"name":"Syscoin Halts Bridge After Exploit Mints 5 Billion SYS Tokens — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"}]},{"content":"The vulnerability resided in the bridge relay process responsible for parsing and validating SPV proofs submitted to authorize minting on the UTXO chain. According to Halborn's post-mortem, the flaw was not a cryptographic break but a logic error in proof structure parsing. The attacker submitted a proof that was structured to exploit an edge case in the relay's interpretation code, causing the relay to treat a non-existent burn transaction as valid. Security firm Halborn drew an explicit parallel to the August 2022 Nomad Bridge attack, which exploited an analogous proof-handling flaw rather than an underlying cryptographic weakness. Critically, the relay component — which sits between the two chains and performs what Rekt News described as 'quiet work' — had not been covered by any documented third-party security audit, despite audits existing for adjacent Syscoin products including Pali Wallet and Syshub.","heading":"Technical Root Cause","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin — Rekt News","type":"news_article","url":"https://rekt.news/syscoin-rekt"}]},{"content":"The 5 billion unauthorized SYS tokens represented approximately 568 percent of Syscoin's pre-exploit circulating supply of 891 million SYS, meaning the unauthorized output constituted roughly 85 percent of total circulating supply post-attack. SYS declined over 20 percent within 24 hours of public disclosure. This came on top of a pre-existing 43 percent weekly decline tied to Binance's delisting of SYS on May 27, 2026. Binance announced the delisting on May 13, 2026 alongside four other altcoins (ATA, FARM, MLN, PHB), without providing explicit reasons. Total value locked in Syscoin DeFi protocols reportedly fell to near zero following the exploit disclosure, with only approximately 14 active addresses recorded in the 24 hours after disclosure.","heading":"Market and Supply Impact","severity":"high","sources":[{"credibility":2,"name":"SYS Drops 20% After 5B Unauthorized Tokens Minted — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/sys-drops-20-after-5b-unauthorized-tokens-minted-in-syscoin-bridge-exploit/"},{"credibility":2,"name":"Syscoin bridge remains paused as 5B token mint exploit threatens project's future — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"credibility":1,"name":"Binance Will Delist ATA, FARM, MLN, PHB, and SYS on May 27, 2026 — Binance","type":"official","url":"https://www.binance.com/en/support/announcement/a42f51022cb649aea0b4cb808205fd76"}]},{"content":"Syscoin's team paused all bridge operations within hours of detecting the unauthorized mint on June 7, 2026. On the same evening, Syscoin published a preliminary postmortem on its social media channels. The team coordinated with centralized exchanges and ecosystem partners to freeze or monitor the tainted balances and prevent the unauthorized SYS from reaching open markets. On June 9, 2026, Syscoin published a public recovery address (sys1qdytsq5am9a7y6hweenl925g3yxtlrvl9fls0yg) and confirmed that the attacker had initiated contact. The team engaged in private whitehat bounty negotiations rather than threatening legal action. Two on-chain recovery transactions were confirmed, with the funds returned to the recovery address. The specific terms of the bounty were not disclosed publicly. As of the date of this report the bridge remained offline with no public return-to-service timeline.","heading":"Team Response and Bridge Pause","severity":"medium","sources":[{"credibility":2,"name":"Syscoin — Rekt News","type":"news_article","url":"https://rekt.news/syscoin-rekt"},{"credibility":2,"name":"Syscoin Pauses Bridge After Attacker Mints 5 Billion Unauthorized SYS Tokens — CoinInsider","type":"news_article","url":"https://www.coininsider.com/news/syscoin-pauses-bridge-after-attacker-mints-5-billion-unauthorized-sys-tokens/"},{"credibility":2,"name":"Syscoin Halts Bridge After Exploit Mints 5 Billion SYS Tokens — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"}]},{"content":"No third-party audit of the bridge relay component's proof validation code has been publicly documented. Syscoin's broader ecosystem has received security reviews for adjacent products, including Pali Wallet and Syshub, but the relay — the component that arbitrates minting authority between two chains — was not covered. The absence of audit coverage on the relay's parsing logic is the identified root cause of the June 2026 exploit. The incident is consistent with a broader pattern documented by PeckShield in June 2026, which recorded $340.7 million in losses across 14 bridge exploits year-to-date, with code vulnerabilities accounting for 66 percent of all incidents. Halborn's post-mortem characterizes the Syscoin flaw as belonging to the same vulnerability class as the 2022 Nomad Bridge attack.","heading":"Audit and Security Posture","severity":"high","sources":[{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Crypto Bridge Hacks: $340M Stolen in 2026 and Why — Spaziocrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/crypto-bridge-hacks-340-million-stolen-2026-design-flaw/"},{"credibility":2,"name":"Syscoin — Rekt News","type":"news_article","url":"https://rekt.news/syscoin-rekt"}]},{"content":"Syscoin is one of the older surviving blockchain projects, launched in August 2014 and co-founded by Jagdeep (Jag) Sidhu, who serves as lead core developer and is affiliated with SYS Labs. The project's NEVM (Network Enhanced Virtual Machine), an EVM-compatible smart contract layer secured by Syscoin's Bitcoin-merge-mined base chain, reached mainnet on December 6, 2021. The bridge connecting the UTXO base chain and NEVM is a core infrastructure component enabling cross-chain asset transfers. Prior to the June 2026 exploit, Syscoin had been positioning as a modular, Bitcoin-secured Layer 1 with ZK-Rollup scalability ambitions. The Binance delisting of SYS in May 2026 reduced the token's liquidity on major centralized venues before the bridge exploit occurred.","heading":"Project Background","severity":"low","sources":[{"credibility":2,"name":"Syscoin's Smart Contract Chain Is Live — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/press-releases/syscoins-smart-contract-chain-is-live"},{"credibility":2,"name":"Jag Sidhu, Core Developer at Syscoin — CryptoNews","type":"news_article","url":"https://cryptonews.com/exclusives/jag-sidhu-core-developer-at-syscoin/"},{"credibility":1,"name":"Binance Will Delist SYS on May 27, 2026 — Binance","type":"official","url":"https://www.binance.com/en/support/announcement/a42f51022cb649aea0b4cb808205fd76"}]},{"content":"The Syscoin bridge exploit is part of a documented wave of cross-chain bridge attacks in 2026. According to PeckShield data reported by Spaziocrypto, cumulative losses from bridge exploits in 2026 reached $340.7 million across 14 major incidents as of early June 2026, before the Syscoin event. The most significant single incident prior to Syscoin was the alleged KelpDAO LayerZero bridge exploit on April 18, 2026, which drained approximately $292 million by exploiting a single-node RPC quorum configuration. Security researchers have characterized bridge vulnerabilities as structural rather than incidental, noting that bridges concentrate multi-chain collateral into single points of failure. The Syscoin incident adds to this pattern and has been cited in industry reporting as among the most recent confirmed bridge exploits in the mid-2026 period.","heading":"Broader Bridge Exploit Context (2026)","severity":"medium","sources":[{"credibility":2,"name":"Crypto Bridge Hacks: $340M Stolen in 2026 and Why — Spaziocrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/crypto-bridge-hacks-340-million-stolen-2026-design-flaw/"},{"credibility":2,"name":"Crypto Bridge Hacks Top $328M in 2026 — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/18/crypto-bridge-hacks-top-328m-in-2026-as-cross-chain-exploits-accelerate/"}]}],"sources_used":[{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin — Rekt News","type":"news_article","url":"https://rekt.news/syscoin-rekt"},{"credibility":2,"name":"Syscoin Halts Bridge After Exploit Mints 5 Billion SYS Tokens — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"},{"credibility":2,"name":"Syscoin bridge remains paused as 5B token mint exploit threatens project's future — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"credibility":2,"name":"SYS Drops 20% After 5B Unauthorized Tokens Minted in Syscoin Bridge Exploit — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/sys-drops-20-after-5b-unauthorized-tokens-minted-in-syscoin-bridge-exploit/"},{"credibility":2,"name":"Syscoin Pauses Bridge After Attacker Mints 5 Billion Unauthorized SYS Tokens — CoinInsider","type":"news_article","url":"https://www.coininsider.com/news/syscoin-pauses-bridge-after-attacker-mints-5-billion-unauthorized-sys-tokens/"},{"credibility":2,"name":"Syscoin Bridge Paused After 5 Billion Unauthorized SYS Tokens Minted — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/syscoin-bridge-paused-after-5-billion-unauthorized-sys-tokens-minted"},{"credibility":2,"name":"Syscoin Pauses Bridge After Exploit Creates 5B Unauthorized SYS — CoinPedia","type":"news_article","url":"https://coinpedia.org/crypto-live-news/syscoin-pauses-bridge-after-exploit-creates-5b-unauthorized-sys/"},{"credibility":2,"name":"Crypto Bridge Hacks: $340M Stolen in 2026 and Why — Spaziocrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/crypto-bridge-hacks-340-million-stolen-2026-design-flaw/"},{"credibility":2,"name":"Crypto Bridge Hacks Top $328M in 2026 — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/18/crypto-bridge-hacks-top-328m-in-2026-as-cross-chain-exploits-accelerate/"},{"credibility":1,"name":"Binance Will Delist SYS on May 27, 2026 — Binance Official","type":"official","url":"https://www.binance.com/en/support/announcement/a42f51022cb649aea0b4cb808205fd76"},{"credibility":2,"name":"Syscoin's Smart Contract Chain Is Live — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/press-releases/syscoins-smart-contract-chain-is-live"},{"credibility":2,"name":"Jag Sidhu, Core Developer at Syscoin — CryptoNews","type":"news_article","url":"https://cryptonews.com/exclusives/jag-sidhu-core-developer-at-syscoin/"}],"summary":"Syscoin Bridge is the cross-chain bridge infrastructure connecting Syscoin's UTXO chain and its Network Enhanced Virtual Machine (NEVM) EVM-compatible layer. In June 2026, an attacker exploited a proof-validation parsing flaw in the bridge relay, minting approximately 5 billion unauthorized SYS tokens valued at roughly $10 million and inflating the circulating supply by an estimated 568 percent. The bridge was paused immediately and the attacker subsequently returned the funds following private whitehat negotiations, though the incident raised serious questions about audit coverage of the relay component.","timeline":[{"date":"2014-08-01","event":"Syscoin blockchain launched, co-founded by Jagdeep Sidhu.","source":"CryptoNews / Syscoin official","source_url":"https://cryptonews.com/exclusives/jag-sidhu-core-developer-at-syscoin/"},{"date":"2021-12-06","event":"Syscoin NEVM (Network Enhanced Virtual Machine) EVM layer reached mainnet at block 1,317,500.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/press-releases/syscoins-smart-contract-chain-is-live"},{"date":"2026-05-13","event":"Binance announced delisting of SYS alongside four other altcoins, effective May 27, 2026.","source":"Binance official announcement","source_url":"https://www.binance.com/en/support/announcement/a42f51022cb649aea0b4cb808205fd76"},{"date":"2026-05-27","event":"Binance spot trading pairs for SYS removed. SYS dropped approximately 34% around the announcement.","source":"CoinCu / Binance","source_url":"https://coincu.com/binance-will-delist-ata-farm-mln-phb-sys-may-27-2026/"},{"date":"2026-06-07","event":"Attacker submitted malformed SPV proof to Syscoin bridge relay. Approximately 5 billion SYS minted on UTXO chain without corresponding NEVM burn. Initial output sent to sys1qgaelv690g7wwp2xchfdh0enf5uewzq5sm9wvcw, then split to two wallets. Syscoin published preliminary postmortem on social media the same evening.","source":"Rekt News / Halborn","source_url":"https://rekt.news/syscoin-rekt"},{"date":"2026-06-08","event":"Syscoin formally halted all bridge operations. Halborn released detailed technical breakdown of the exploit. SYS token declined over 20% within 24 hours.","source":"Crypto Times / Halborn","source_url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"},{"date":"2026-06-09","event":"Syscoin published public recovery address (sys1qdytsq5am9a7y6hweenl925g3yxtlrvl9fls0yg) and confirmed attacker had initiated whitehat contact. Private bounty negotiations began.","source":"Rekt News","source_url":"https://rekt.news/syscoin-rekt"},{"date":"2026-06-09","event":"Two on-chain recovery transactions confirmed, with the unauthorized 5 billion SYS returned to the Syscoin recovery address. Bounty terms not publicly disclosed.","source":"Rekt News","source_url":"https://rekt.news/syscoin-rekt"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision c81f21ee-daee-4a8f-b771-ceda262dfd9a
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.