SagaEVM Ethermint Mint Bypass

On January 20, 2026, the Web3 infrastructure platform Saga halted its SagaEVM chain after an attacker drained approximately $7 million in ETH, USDC, yUSD and tBTC through an Ethermint EVM vulnerability. The attacker minted the project's stablecoin Saga Dollar (D) without collateral, bridged the proceeds to Ethereum, and converted them to over 2,000 ETH plus Uniswap V4 liquidity positions. The full attack ran in approximately 11 minutes.

What happened

SagaEVM was Saga's Ethermint-based EVM chain, designed to give individual application developers their own "chainlet" — a dedicated EVM instance with custom tokenomics. The chain used Ethermint as its EVM implementation, the same Cosmos-SDK-EVM stack used by several other Cosmos-ecosystem chains.

The vulnerability lived in the Ethermint EVM's message validation — specifically, in how the chain processed custom messages routed through the EVM layer. The attacker discovered they could craft custom messages that bypassed expected validation and reached the protocol's stablecoin-minting logic with attacker-controlled inputs.

The attack:

1. Identified the message-validation gap in the SagaEVM Ethermint configuration.
2. Crafted malicious messages that the chain processed as legitimate but that contained attacker-controlled minting parameters.
3. Minted Saga Dollar (D) — the chain's stablecoin — without depositing the corresponding collateral.
4. Bridged the freshly-minted D tokens to Ethereum within the same 11-minute window, before defensive action could be taken.
5. Converted the bridged assets to 2,000+ ETH (~$6M+ at the time) and ~$800K in Uniswap V4 liquidity positions.

Aftermath

• Saga paused the SagaEVM chain within minutes of detection.
• The team identified the attacker's wallet publicly and began coordination with exchanges and bridge operators to freeze flagged addresses.
• SagaEVM's TVL fell from $37M to ~$16M as users withdrew on the chain restart.
• The team coordinated with the broader Cosmos / Ethermint security community on the underlying vulnerability disclosure.
• No public recovery; funds were laundered through Tornado Cash and DEX aggregators.

Why it matters

The SagaEVM incident is one of several 2025-2026 cases highlighting shared-codebase risk in the Cosmos-SDK / Ethermint ecosystem. When multiple chains adopt the same EVM implementation, a vulnerability in that implementation automatically applies to every chain using it — and the patch coordination across independent chain operators is slower than a single-codebase fix.

The structural lessons:

1. EVM implementations vary in subtle but security-critical ways. Ethermint, Polygon's Bor, BSC's geth fork, OP Stack, Arbitrum's Nitro — each has its own custom additions that introduce attack surface beyond canonical go-ethereum.
2. Message-validation in alt-EVMs is a recurring vulnerability category because the validation logic is often modified to support chain-specific message types (like Saga's stablecoin minting) that the upstream EVM doesn't anticipate.
3. The 11-minute attack window demonstrates that chain-level emergency response now needs to operate on minute timescales, not hour or day timescales. Validator coordination protocols that take longer than that are increasingly inadequate for high-value-at-stake chains.

Saga's response — fast pause, public attribution, ecosystem coordination — was credible for the loss scale but the chain's reputational impact was significant given its early-stage position in the chainlet-launching market.