In January 2026, SagaEVM was the victim of a $7 million hack. The attacker exploited a vulnerability in its EVM precompile bridge to mint the protocol’s Saga Dollars stablecoin without providing equivalent collateral, causing the project’s stablecoin to depeg and fall to $0.75.
Inside the Attack
The root cause of the SagaEVM hack was a vulnerability in Ethermint’s EVM precompile code, which SagaEVM inherited. The protocol's use of the forked Ethereum Virtual Machine (EVM) introduced this previously unknown vulnerability into the protocol.
This vulnerability affected the validation logic for transactions within the precompile bridge. The attacker was able to carefully craft transactions that allowed them to bypass validation logic. This includes both validating that appropriate collateral was deposited and accounting checks that limit the supply of the stablecoin.
As a result, the attacker could send messages to the protocol that were interpreted as a legitimate cross-chain transfer, including a deposit of appropriate collateral. In response, the protocol would mint the requested number of stablecoins.
The attacker exploited this vulnerability to create an effectively unlimited number of Saga Dollars essentially for free. After doing so, they could exchange these stablecoins for assets deposited into the protocol.
In total, an estimated $7 million was drained from the project’s smart contracts and bridged to Ethereum, where they were converted into ETH and other assets. A significant portion of the stolen assets was later deposited into Tornado Cash, covering the attacker’s tracks.
Lessons Learned from the Attack
The SagaEVM hack was made possible by an inherited vulnerability within the protocol’s codebase. The project used the Ethermint EVM, which included a vulnerability that the attacker could exploit. This overlooked vulnerability allowed the attacker to craft custom messages that bypassed validation, permitted unlimited minting of the project’s stablecoin without proper collateral, and resulted in the loss of an estimated $7 million in assets that were deposited into the project’s smart contract.
This incident is a demonstration of the potential threat of supply chain vulnerabilities and the need to identify and manage vulnerabilities throughout a project’s entire codebase. Forked code is common in the DeFi space, and many projects have been burned by vulnerabilities that existed in their copied code.
Halborn offers comprehensive security audits, enabling DeFi projects to find and fix vulnerabilities in both their on-chain and off-chain code. To learn more about how Halborn can help your project to reduce its risk of an expensive smart contract hack, get in touch.