Blockchain developer Saga has paused its SagaEVM chain following an exploit that moved roughly $7 million in assets off the network, with the attacker routing the funds to Ethereum and swapping them into ETH, according to the project and reports covering the incident.
The chain was stopped at a specific block height after Saga detected what it described as a “security incident” on Wednesday.
Sponsored
The team has kept SagaEVM offline while assessing the full impact, developing a fix, and hardening the system. A more detailed technical post-mortem is expected once investigations conclude.
The Breach and What Wasn’t Affected
In the Wednesday blog post, Saga reported that the stolen assets included USDC, yUSD, ETH, and tBTC.
The exploit involved a coordinated series of contract deployments, cross-chain activity, and liquidity withdrawals, resulting in nearly $7 million being transferred to the Ethereum Mainnet.
The exploiter’s wallet has been identified as 0x2044697623afa31459642708c83f04ecef8c6ecb, and Saga is working with exchanges and bridges to blacklist the address and recover the stolen funds.
The attacker then bridged the assets to Ethereum and executed swaps, a common tactic used to make recovery more difficult.
Saga confirmed that the incident was limited to the SagaEVM “chainlet,” affecting only Colt and Mustang.
Its mainnet, consensus layer, validator security, and other chainlets were unaffected. The company added that there is no evidence of validator compromise, signer key leaks, or consensus failures, indicating the issue was isolated to the application layer rather than a deeper protocol vulnerability.
Recovery Efforts and Industry Context
As a precaution, the SagaEVM chain was paused at block height 6,593,800 while engineering and security teams carry out a full forensic investigation.
Saga stated that the pause is intended to prevent further impact, assess the full scope of the incident using archive data and execution traces, and reinforce affected components before the chain is restarted.
The company confirmed that the broader network remains secure. The mainnet, other chainlets, protocol consensus, validator security, and signer keys were not affected. There has been no consensus failure, and no additional parts of the network have been compromised.
Saga outlined next steps, which include completing root cause analysis, patching and hardening affected cross-chain and deployment components, coordinating with ecosystem partners, and publishing a detailed technical post-mortem describing the incident, the measures taken, and the safeguards implemented.
Check out DailyCoin’s hottest crypto news today:
Solana Goes TradFi: Ondo Brings 200+ Tokenized Stocks and ETFs On-Chain
Solana ETF Bid & State-Backed Stablecoin Puts 2026 “Super-cycle” in Play
People Also Ask:
SagaEVM is a chainlet in the Saga blockchain ecosystem that supports smart contracts and decentralized finance (DeFi) applications. While smaller than the mainnet, SagaEVM handles real assets, making its security critical to users and the broader network.
On January 21, 2026, a coordinated exploit moved roughly $7 million in USDC, yUSD, ETH, and tBTC off the SagaEVM chain. The attacker deployed multiple contracts, leveraged cross-chain bridges, and withdrew liquidity, eventually transferring the assets to Ethereum and swapping them into ETH.
A cross-chain exploit occurs when an attacker takes advantage of the interactions between different blockchains or chainlets. They can move assets between chains, bypassing safeguards and sometimes making stolen funds harder to recover.
Some attacks are limited to a specific chainlet or smart contract, while others may affect the main blockchain, consensus mechanism, or validator security. The scope depends on where the vulnerability exists.
