Layer-1 Protocol Saga Temporarily Shuts SagaEVM Chain After $7M Exploit

Layer-1 network Saga has paused its SagaEVM chain following an exploit that transferred nearly $7 million in tokens to Ethereum, as the team conducts an ongoing investigation and works to identify the full scope of the security breach.

Saga halted the chain at block height 6,593,800 after identifying a security incident on January 21, maintaining the network pause "out of an abundance of caution" while validating the complete impact, patching vulnerabilities, and reinforcing system security.

"We recognize that a pause is disruptive. We made this decision because the safety of our community comes first," the team stated Wednesday in a blog post. "Once remediation is complete, we will publish a more comprehensive technical post-mortem."

In its investigation update, Saga reported nearly $7 million in USDC, yUSD, ETH, and tBTC were transferred to Ethereum Mainnet, with the team identifying the wallet receiving the extracted assets. Saga is coordinating with exchanges and bridge operators to blacklist the attacker's address and support recovery efforts while continuing forensic analysis using archive data and execution traces.

Saga characterized the attack as a coordinated sequence involving contract deployments and cross-chain activity culminating in rapid liquidity withdrawals. Reports indicated the attacker bridged assets to Ethereum and converted proceeds into ETH through decentralized exchange swaps, obscuring the trail of stolen funds.

The incident affected the SagaEVM chainlet along with Colt and Mustang components, but did not compromise the Saga SSC mainnet, the protocol's consensus layer, validator security, or other Saga chainlets. The team stated it found no evidence of validator compromise, signer key leakage, or consensus failure, suggesting the vulnerability was isolated to specific chain implementations.

The breach arrives as cryptocurrency security remains under sustained pressure. Chainalysis estimated the industry experienced over $3.4 billion in theft during 2025, pointing to large, concentrated hacks as a primary driver of losses. The figure represents continued challenges in securing blockchain infrastructure despite advancing security practices.

Saga's decision to pause the entire chain reflects a conservative approach to incident response, prioritizing user asset protection over continuous operation. The temporary shutdown allows the team to comprehensively audit affected systems before reactivation, though the duration of the pause remains uncertain pending completion of security remediation.