Verify a decision

{"actor":"system:backfill","investigation_id":"0139032b-4847-4030-8aaf-4cd7ca782dc5","kind":"publish","page_slug":"saga-evm-blockchain","published_at":"2026-06-21T23:18:06.012Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Saga EVM Blockchain","sections":[{"content":"Saga (ticker: SAGA) is a Layer-1 blockchain protocol that enables developers to deploy dedicated application-specific blockchains called chainlets. The protocol is built on Cosmos SDK infrastructure and is co-founded and led by Rebecca Liao, who previously co-founded Skuchain, a blockchain platform for global trade that reached over $5 billion in annual volume, and served as a policy advisor on the Biden 2020 and Clinton 2016 presidential campaigns. Saga launched its mainnet and SAGA token on April 9, 2024, following a record-breaking $13.4 billion staked on Binance for its airdrop. The SagaEVM chainlet was a subsequent addition providing Ethereum Virtual Machine compatibility for DeFi protocols, including the Colt protocol, which offered a Saga Dollar (denoted $D) stablecoin backed by cross-chain collateral via IBC (Inter-Blockchain Communication).","heading":"Overview and Background","severity":"low","sources":[{"credibility":2,"name":"What is Saga? The Layer-1 Network, Upcoming Airdrop, and Game Publisher - Decrypt","type":"news_article","url":"https://decrypt.co/resources/what-is-saga-gaming-network-airdrop-token-launch"},{"credibility":2,"name":"Rebecca Liao - Co-founder & CEO at Saga.xyz | CryptoSlate","type":"other","url":"https://cryptoslate.com/people/rebecca-liao/"}]},{"content":"On January 21, 2026, an attacker exploited a critical vulnerability in SagaEVM's IBC (Inter-Blockchain Communication) precompile to mint approximately $7 million in Saga Dollar ($D) stablecoins without providing any collateral. The exploit was enabled by an inherited flaw in the Ethermint EVM codebase — specifically, the ICS20 Precompile component — which suffered from incorrect state handling during nested EVM execution paths. According to the official Cosmos EVM security advisory (ASA-2026-002), 'state updates performed during recursive calls were not correctly reflected in the outer execution context,' allowing token balances to be reused multiple times within a single transaction. The attacker deployed a helper contract (address: 0x7D69E4376535cf8c1E367418919209f70358581E) that crafted fake IBC messages mimicking legitimate collateral deposits. Because the IBC precompile lacked sufficient verification mechanisms, it accepted these fabricated payloads as authentic, triggering unauthorized minting of Saga Dollar through the Colt protocol. The attacker's primary wallet was identified as 0x2044697623afa31459642708c83f04ecef8c6ecb. Saga paused the SagaEVM chain at block 6,593,800 after detecting anomalous activity. The team confirmed that the Saga SSC mainnet, protocol consensus, validators, and other chainlets were unaffected.","heading":"January 2026 Exploit: Critical Security Incident","severity":"critical","sources":[{"credibility":1,"name":"ASA-2026-002 Security Advisory - cosmos/evm GitHub","type":"official","url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"},{"credibility":2,"name":"Saga pauses EVM chain following smart contract exploit - The Block","type":"news_article","url":"https://www.theblock.co/post/386638/sagaevm-suffers-exploit"},{"credibility":2,"name":"Explained: The SagaEVM Hack (January 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-sagaevm-hack-january-2026"},{"credibility":2,"name":"Saga - Rekt News","type":"news_article","url":"https://rekt.news/saga-rekt"}]},{"content":"The root cause was a pre-existing vulnerability in the Ethermint EVM codebase that Saga inherited when deploying the SagaEVM chainlet. Cosmos Labs, which maintains the Ethermint-derived cosmos/evm module, confirmed in security advisory ASA-2026-002 that the flaw resided in the ICS20 Precompile component, affecting all versions prior to v0.6.0. The advisory assigned the vulnerability a Critical severity rating. The technical mechanism involved incorrect state propagation during nested EVM calls: when recursive calls invoked the IBC precompile, state modifications were not correctly reflected in the outer execution context, creating an opportunity for state confusion that allowed repeated minting. Cosmos Labs coordinated with 15 identified affected chains to distribute the patched version (v0.6.0) before public disclosure, which occurred in March 2026. The vulnerability was not authored by Saga; it was inherited from upstream code. However, Saga deployed the affected module without identifying or patching the vulnerability prior to mainnet operation.","heading":"Technical Root Cause: Inherited Ethermint Vulnerability","severity":"critical","sources":[{"credibility":1,"name":"ASA-2026-002 Security Advisory - cosmos/evm GitHub","type":"official","url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"},{"credibility":3,"name":"Cosmos discloses SagaEVM exploit as patch ships | MEXC News","type":"news_article","url":"https://www.mexc.com/news/892096"},{"credibility":2,"name":"Saga EVM Hacked for $7 Million: What Happened and Why DeFi Security Matters - OneKey Blog","type":"research","url":"https://onekey.so/blog/ecosystem/saga-evm-hacked-for-7-million-what-happened-and-why-defi-security-matters-20260122143101/"}]},{"content":"Following the exploit, the attacker rapidly converted the minted Saga Dollar stablecoins for real collateral assets held in the Colt protocol, including USDC, yUSD, ETH, and tBTC, by using LayerZero to bridge assets to Ethereum mainnet. On Ethereum, the stolen funds were swapped across multiple decentralized exchanges including KyberSwap, 1inch, and CoW Swap, ultimately netting over 2,000 ETH valued at approximately $6 million. The attacker also created approximately $800,000 in Uniswap v4 LP positions. On January 24, 2026, the attacker transferred LP NFTs to a secondary clean wallet (0xf891de97fa96839329381743f0d6180fcefe3f64). According to blockchain security firm CertiK, $6.2 million of the stolen funds were subsequently deposited into Tornado Cash, a privacy mixer, using five separate wallets to layer transactions and obscure the trail. Approximately $847,000 in LP positions remained traceable as of reporting. The Saga team coordinated with exchanges and bridge operators to blacklist the attacker's identified addresses, though the bulk of funds had already been moved.","heading":"Fund Flows and Post-Exploit Laundering","severity":"critical","sources":[{"credibility":2,"name":"$6.2M stolen from Saga exploit land on Tornado Cash - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/saga-exploit-land-on-tornado-cash/"},{"credibility":2,"name":"Saga Hack: $6.2M Laundered via Tornado Cash - Phemex News","type":"news_article","url":"https://phemex.com/news/article/saga-hack-62-million-laundered-through-tornado-cash-55712"},{"credibility":2,"name":"Saga Attackers Move $6.2M to Tornado Cash - KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/saga-attackers-move-6-2m-to-tornado-cash-after-hacking-incident"},{"credibility":2,"name":"Saga - Rekt News","type":"news_article","url":"https://rekt.news/saga-rekt"}]},{"content":"The exploit had significant immediate market consequences. The Saga Dollar ($D) stablecoin depegged by approximately 25%, falling from its $1.00 peg to $0.75. Total Value Locked on the SagaEVM network collapsed from approximately $37 million to $13.6 million within 24 hours — a reduction of over 60%. The native SAGA token, which had been trading near multi-month lows since its May 2024 launch, declined further to approximately $0.053 following the attack announcement. Approximately $12 million in Saga Dollar stablecoins allegedly remained in the attacker's wallet on the Saga network side as of initial reporting, representing additional potential claims on protocol collateral. The SagaEVM chainlet remained paused pending investigation and remediation.","heading":"Market Impact and Financial Consequences","severity":"high","sources":[{"credibility":2,"name":"Saga EVM Hacked for $7 Million: What Happened and Why DeFi Security Matters - OneKey Blog","type":"research","url":"https://onekey.so/blog/ecosystem/saga-evm-hacked-for-7-million-what-happened-and-why-defi-security-matters-20260122143101/"},{"credibility":2,"name":"Saga Halts EVM Chain After Hack Drains $7M in USDC, ETH and tBTC - CoinCentral","type":"news_article","url":"https://coincentral.com/saga-halts-evm-chain-after-hack-drains-7m-in-usdc-eth-and-tbtc/"},{"credibility":2,"name":"Saga EVM chain paused following $7M smart contract exploit - crypto.news","type":"news_article","url":"https://crypto.news/saga-evm-chain-paused-after-7m-contract-exploit-2026/"}]},{"content":"Saga's team responded to the exploit by halting the SagaEVM chainlet at block 6,593,800 on January 21, 2026. The team published an initial statement confirming the exploit and clarifying that the broader Saga SSC mainnet, consensus layer, and validator set were not affected. Cosmos Labs was notified and began coordinating a patch distribution effort, ultimately releasing cosmos/evm v0.6.0 as the remediated version. All 15 chains identified as running the affected Ethermint-derived code were contacted and either upgraded or implemented short-term mitigations before the public disclosure in March 2026. Saga stated it was working with exchanges and bridge operators to blacklist the attacker's identified wallet addresses. The team committed to publishing a full post-mortem once investigation findings were validated, though no formal compensation or recovery plan for affected users had been publicly announced as of reporting. No regulatory actions or law enforcement referrals have been publicly disclosed.","heading":"Team Response and Remediation","severity":"medium","sources":[{"credibility":2,"name":"Saga pauses EVM chain following smart contract exploit - The Block","type":"news_article","url":"https://www.theblock.co/post/386638/sagaevm-suffers-exploit"},{"credibility":1,"name":"ASA-2026-002 Security Advisory - cosmos/evm GitHub","type":"official","url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"},{"credibility":3,"name":"Cosmos discloses SagaEVM exploit as patch ships | MEXC News","type":"news_article","url":"https://www.mexc.com/news/892096"}]},{"content":"The SagaEVM incident carried implications beyond the Saga protocol. The cosmos/evm security advisory ASA-2026-002 identified 15 chains running versions of the affected Ethermint-derived codebase, all of which required patching or mitigation. This highlights a systemic risk in the Cosmos EVM ecosystem: multiple independent chains share a common ancestor codebase and may inherit vulnerabilities without independent security review. Cosmos Labs coordinated a controlled disclosure and patch distribution, choosing to notify affected chains privately before public announcement to limit exploitation of other networks. The incident represents the second known major security event tied to Ethermint-derived code, following a separate Ethermint vulnerability disclosed in a post-mortem by Evmos. The attack vector — specifically abusing IBC precompiles with crafted messages to bypass collateral validation — is considered novel and underscores the risk of cross-chain interoperability layers that have not received exhaustive adversarial review.","heading":"Broader Ecosystem Risk: Ethermint Inherited Vulnerability","severity":"high","sources":[{"credibility":1,"name":"ASA-2026-002 Security Advisory - cosmos/evm GitHub","type":"official","url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"},{"credibility":3,"name":"Saga Pauses EVM Chain After $7M Exploit: What It Means for Cosmos and Cross-Chain Security","type":"news_article","url":"https://www.kanalcoin.com/saga-pauses-evm-chain-after-7m-exploit-what-it-means-for-cosmos-and-cross-chain-security/"},{"credibility":2,"name":"Post Mortem: Ethermint Security Vulnerability and Evmos' Swift Response","type":"other","url":"https://medium.com/evmos/post-mortem-ethermint-security-vulnerability-and-evmos-swift-response-13817fca8462"}]}],"sources_used":[{"credibility":1,"name":"ASA-2026-002 Security Advisory - cosmos/evm GitHub","type":"official","url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"},{"credibility":2,"name":"Saga pauses EVM chain following smart contract exploit - The Block","type":"news_article","url":"https://www.theblock.co/post/386638/sagaevm-suffers-exploit"},{"credibility":2,"name":"Explained: The SagaEVM Hack (January 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-sagaevm-hack-january-2026"},{"credibility":2,"name":"Saga EVM Hacked for $7 Million: What Happened and Why DeFi Security Matters - OneKey Blog","type":"research","url":"https://onekey.so/blog/ecosystem/saga-evm-hacked-for-7-million-what-happened-and-why-defi-security-matters-20260122143101/"},{"credibility":2,"name":"Saga - Rekt News","type":"news_article","url":"https://rekt.news/saga-rekt"},{"credibility":2,"name":"$6.2M stolen from Saga exploit land on Tornado Cash - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/saga-exploit-land-on-tornado-cash/"},{"credibility":2,"name":"Saga Hack: $6.2M Laundered via Tornado Cash - Phemex News","type":"news_article","url":"https://phemex.com/news/article/saga-hack-62-million-laundered-through-tornado-cash-55712"},{"credibility":2,"name":"Saga Attackers Move $6.2M to Tornado Cash - KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/saga-attackers-move-6-2m-to-tornado-cash-after-hacking-incident"},{"credibility":2,"name":"Saga EVM chain paused following $7M smart contract exploit - crypto.news","type":"news_article","url":"https://crypto.news/saga-evm-chain-paused-after-7m-contract-exploit-2026/"},{"credibility":2,"name":"Saga Halts EVM Chain After Hack Drains $7M in USDC, ETH and tBTC - CoinCentral","type":"news_article","url":"https://coincentral.com/saga-halts-evm-chain-after-hack-drains-7m-in-usdc-eth-and-tbtc/"},{"credibility":3,"name":"Cosmos discloses SagaEVM exploit as patch ships - MEXC News","type":"news_article","url":"https://www.mexc.com/news/892096"},{"credibility":3,"name":"Saga Pauses EVM Chain After $7M Exploit: What It Means for Cosmos and Cross-Chain Security","type":"news_article","url":"https://www.kanalcoin.com/saga-pauses-evm-chain-after-7m-exploit-what-it-means-for-cosmos-and-cross-chain-security/"},{"credibility":2,"name":"Post Mortem: Ethermint Security Vulnerability and Evmos' Swift Response","type":"other","url":"https://medium.com/evmos/post-mortem-ethermint-security-vulnerability-and-evmos-swift-response-13817fca8462"},{"credibility":2,"name":"What is Saga? The Layer-1 Network, Upcoming Airdrop, and Game Publisher - Decrypt","type":"news_article","url":"https://decrypt.co/resources/what-is-saga-gaming-network-airdrop-token-launch"},{"credibility":2,"name":"Rebecca Liao - Co-founder & CEO at Saga.xyz | CryptoSlate","type":"other","url":"https://cryptoslate.com/people/rebecca-liao/"},{"credibility":3,"name":"Saga EVM Suffers $6.8M Hack, Network Halted After Unauthorized Stablecoin Minting - CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/01/22/saga-evm-hack-network-halted"}],"summary":"Saga is a Layer-1 blockchain protocol designed to support application-specific chains (chainlets), with a focus on gaming and DeFi use cases. In January 2026, its SagaEVM chainlet suffered a critical exploit in which an inherited vulnerability in the Ethermint EVM codebase allowed an attacker to mint approximately $7 million in unbacked stablecoins, which were subsequently bridged to Ethereum and largely laundered through Tornado Cash. The broader Saga SSC mainnet, consensus layer, and validator set were not compromised, but the incident exposed material risks from deploying EVM compatibility layers built on unaudited inherited codebases.","timeline":[{"date":"2024-04-09","event":"Saga mainnet and SAGA token launched; initial airdrop followed record $13.4 billion staked on Binance","source":"Decrypt","source_url":"https://decrypt.co/resources/what-is-saga-gaming-network-airdrop-token-launch"},{"date":"2026-01-21","event":"Attacker deployed helper contract (0x7D69E4376535cf8c1E367418919209f70358581E) and executed exploit against SagaEVM's IBC precompile, minting approximately $7M in Saga Dollar stablecoins without collateral; stolen assets bridged to Ethereum and swapped to ETH via multiple DEXes","source":"Rekt News / Halborn","source_url":"https://rekt.news/saga-rekt"},{"date":"2026-01-21","event":"Saga team halted SagaEVM chainlet at block 6,593,800; confirmed exploit and stated SSC mainnet and validators were unaffected; coordinated blacklisting of attacker addresses with exchanges and bridges","source":"The Block","source_url":"https://www.theblock.co/post/386638/sagaevm-suffers-exploit"},{"date":"2026-01-21","event":"Cosmos Labs notified of vulnerability; began coordinating with affected chains to distribute patch for cosmos/evm before public disclosure","source":"cosmos/evm Security Advisory ASA-2026-002","source_url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"},{"date":"2026-01-24","event":"Attacker transferred Uniswap v4 LP NFTs to a secondary clean wallet (0xf891de97fa96839329381743f0d6180fcefe3f64) in an effort to further obscure fund trails","source":"Rekt News","source_url":"https://rekt.news/saga-rekt"},{"date":"2026-01-24","event":"CertiK reported that $6.2 million of stolen funds had been deposited into Tornado Cash across five separate wallets","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/saga-exploit-land-on-tornado-cash/"},{"date":"2026-03-01","event":"Cosmos Labs issued public security advisory ASA-2026-002, disclosing the ICS20 Precompile vulnerability (fixed in cosmos/evm v0.6.0); confirmed all 15 affected chains had been patched or mitigated prior to disclosure","source":"cosmos/evm Security Advisory ASA-2026-002","source_url":"https://github.com/cosmos/evm/security/advisories/GHSA-54gx-3cgr-7mfm"}]},"v":1}