Layer-1 blockchain protocol Saga has paused its Ethereum-compatible SagaEVM chainlet following a confirmed security incident that resulted in nearly $7 million worth of assets leaving the network.
Saga disclosed the incident on Jan. 21, stating that the chain was halted at block height 6,593,800 after engineers detected unauthorized activity tied to contract deployments and cross-chain transfers. The team described the decision to pause the chain as a precautionary step to limit further impact while a forensic investigation proceeds.
SagaEVM has been paused at block height 6593800 in response to a confirmed exploit on the SagaEVM chainlet.
— Saga ⛋ (@Sagaxyz__) January 21, 2026
Mitigation is underway, and the team is fully focused on a solution.
Further updates will follow once details are confirmed.
Coordinated activity preceded liquidity withdrawals
In a Medium update published after the pause, Saga said the incident involved “a coordinated sequence of contract deployments, cross-chain activity, and subsequent liquidity withdrawals.”
Nearly $7 million in USDC, yUSD, ETH, and tBTC moved from the SagaEVM chainlet to the Ethereum mainnet. Saga later confirmed that the funds were bridged out and converted, with the extracted assets linked to a single Ethereum address: 0x2044697623afa31459642708c83f04ecef8c6ecb.
“We are working with exchanges and bridges to blacklist this address,” Saga said in a follow-up post.
The team emphasized that the exploit did not affect Saga’s broader protocol infrastructure.
“There has been no consensus failure, validator compromise, or signer key leakage. The broader Saga network remains structurally sound,” the statement said.
Scope of impact remains contained
Saga confirmed that the impact was limited to the SagaEVM chainlet and two environments known as Colt and Mustang. Other components of the network remain operational.
Not affected, according to Saga, are the Saga SSC mainnet, protocol consensus, validator security, and other chainlets. The team stated that validators and signer keys remain secure.
Saga Dollar, the protocol’s primary US dollar-pegged stablecoin, experienced market stress following the disclosure. According to CoinGecko data, the token fell to approximately $0.75 late Wednesday before stabilizing. At the same time, Saga’s total value locked declined sharply.
DefiLlama data shows the protocol’s TVL fell from over $37 million to roughly $16 million within 24 hours of the pause.
Mitigation steps and investigation process
Saga said its engineering and security teams initiated a full forensic investigation immediately after confirmation of the incident. The process includes analysis of archive node data and execution traces to determine the full blast radius.
Cross-chain activity related to the exploit has been reviewed and restricted where appropriate. Saga also stated that additional safeguards have already been introduced to prevent similar coordinated attack patterns.
“SagaEVM remains paused while our engineering and security teams work through a full remediation process,” the team wrote. “Once remediation is complete, we will publish a more comprehensive technical post-mortem.”
Saga added that communication during the investigation would focus only on confirmed facts.
“Our approach is to communicate only confirmed information,” the statement said. “During active investigation, that means prioritizing correctness and user safety.”
Unconfirmed theories emerge from security researchers
Saga has not yet published a root cause analysis, and the team cautioned that third-party theories remain unverified.
Vladimir S, a threat researcher, suggested that the attacker may have minted Saga Dollar without collateral by abusing inter-blockchain communication mechanisms.
“By crafting custom messages or payloads, the contract bypassed validation in the precompile bridge logic, enabling infinite minting of $D tokens without collateral,” he said.
An on-chain investigator known as Specter offered a separate hypothesis, stating the exploit appeared to “be the result of a private key compromise,” while also noting that available information remains limited. Saga has not confirmed either explanation.
What comes next for SagaEVM
Saga said the chain will remain paused until the investigation concludes and mitigation steps receive full validation. The team plans to patch and harden affected components, coordinate with ecosystem partners, and publish a detailed technical post-mortem once findings are finalized.
The incident adds to a growing list of smart contract and cross-chain exploits reported across the crypto sector in recent months. Saga acknowledged the disruption caused by the pause but reiterated that the decision prioritized user safety.
“We recognize that a pause is disruptive,” the team said. “We made this decision because the safety of our community comes first.”
Gunel Ismayilova
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
