Saga Postmortem — CoinYield

Saga - Rekt: Security Incident Report

Overview

On January 21, 2026, the Saga blockchain suffered a $7 million exploit involving the minting of counterfeit Saga Dollar tokens through compromised Inter-Blockchain Communication (IBC) mechanisms.

What Happened

An attacker crafted custom IBC messages that bypassed validation checks in SagaEVM's bridge precompile, enabling the creation of $7 million in Saga Dollar tokens without corresponding collateral. The freshly minted tokens were redeemed against the Colt and Mustang protocols for legitimate yield-bearing assets (yETH, yUSD, tBTC), which were then bridged to Ethereum and converted to over 2,000 ETH (~$6 million) via DEX aggregators.

Impact Metrics:

• $7 million in fraudulent minting

• Saga Dollar depegged 25% to $0.75

• Total Value Locked collapsed from $37 million to $13.6 million within 24 hours

• Chain paused at block 6593800

Technical Root Cause

Per Cosmos Labs, "The issue has been identified as originating from the original Ethermint codebase." The IBC precompile lacked sufficient validation to verify that deposit events were authentic—it processed fabricated messages without confirming the source chain actually held the claimed collateral.

Attack Vector

Helper Contract: 0x7D69E4376535cf8c1E367418919209f70358581E

The attacker deployed a contract that:

1. Generated custom IBC payloads mimicking legitimate collateral deposits

2. Transmitted forged messages directly to the bridge precompile

3. The precompile minted corresponding $D tokens without validation

4. Redeemed fraudulent tokens against Colt/Mustang for real collateral

5. Extracted assets to Ethereum via LayerZero

Attack Transactions:

• 0x0c038d70c684b5797ed5b8ac578cf7151ec95f5a1a135cd9d48028f72d0f7a2b

• 0x2651c022e2ebba23032b3f0f82a4d9e7caa0be701620e51851e232aa8e35e054

• 0x1fc886dcacbc3e186941236be0e6a1605348d724c0368e21fbf485cb6157ba8f

Financial Impact

Attacker Address: 0x2044697623afa31459642708c83f04ecef8c6ecb

Funds Flow:

• $6.2 million routed through Tornado Cash across five wallets

• $847,000 deposited in Uniswap V4 LP positions under separate address: 0xf891de97fa96839329381743f0d6180fcefe3f64

• LP positions remained earning yield under alternative wallet

Protocol Damage:

• Saga Dollar stablecoin depegged significantly

• TVL dropped 63% in 24 hours

• Colt and Mustang protocols exposed to liquidation risk

Remediation Actions

1. Chain Halt: SagaEVM paused at block height 6593800

2. Blacklisting: Attacker address flagged across major exchanges and bridge protocols

3. Ecosystem Alert: Cosmos Labs issued mitigation guidance to multiple EVM chains using vulnerable Ethermint code

4. Investigation: Post-mortem promised upon validation of findings

Systems Unaffected:

• Saga SSC mainnet continued operating

• Validator consensus remained secure

• No signer key compromise detected

Ecosystem Implications

The vulnerability exists in Ethermint's foundational codebase, affecting multiple EVM chains beyond Saga. This discovery triggered ecosystem-wide patching efforts as Cosmos Labs coordinated responses across dependent projects.