Operations on the SagaEVM blockchain have been temporarily suspended after a security incident resulted in the loss of nearly $7 million worth of cryptocurrency assets. The pause was implemented as a precautionary measure while the network team investigates the breach and advances recovery efforts. The stolen assets reportedly included Ethereum and various stablecoins, highlighting the financial impact of the exploit.
Saga indicated that the attack involved a combination of malicious contract deployments, cross-chain interactions, and liquidity withdrawals. Following the incident, investigators were able to identify the wallet associated with the attacker, enabling immediate efforts to trace and potentially recover the stolen funds. Despite the scale of the exploit, Saga emphasized that the broader network infrastructure has not been compromised.
addressing the recent exploit pic.twitter.com/BvMlpKCTyj
— Saga ⛋ (@Sagaxyz__) January 23, 2026
No Consensus or Validator Failures Identified
According to the project’s findings, the investigation has not uncovered any evidence of validator compromise, consensus failures, or leaked signer keys. This assessment suggests that the core mechanics of the SagaEVM blockchain remain intact and that the exploit was likely limited to specific smart contract interactions rather than a systemic network flaw.
We are aware of the SagaEVM incident and have been working closely with Saga and external security partners to investigate and remediate a confirmed vulnerability.
The issue has been identified as originating from the original Ethermint codebase. A long-term fix is in progress,… https://t.co/B3UWsZirko
— Cosmos Labs (@cosmoslabs_io) January 22, 2026
Saga reported that additional safeguards have already been implemented to reduce the likelihood of similar attack patterns in the future. These measures are intended to strengthen monitoring and detection around contract deployments and cross-chain activities, which have become increasingly complex and attractive targets for sophisticated threat actors.
Saga and @cosmoslabs_io engineers have identified the Jan 21 SagaEVM incident as originating from a vulnerability in the Ethermint codebase that was inherited by Cosmos EVM.
The vulnerability was exploited on SagaEVM and is being addressed in coordination with upstream… pic.twitter.com/8Hv8weeibg
— Saga ⛋ (@Sagaxyz__) January 22, 2026
Recovery Efforts and Security Enhancements
Efforts to recover the stolen funds are ongoing, with investigators actively monitoring on-chain movements linked to the identified attacker wallet. Saga has not disclosed whether asset recovery is guaranteed, but the identification of the wallet is viewed as a critical step in coordinating potential mitigation strategies with other ecosystem participants.
SagaEVM remains paused while we finalize the results of our investigation into the Jan 21 exploit.
We’re working with partners on remediation and will publish a post-mortem once findings are fully validated. $7M of USDC was bridged out and converted to ETH.
Extracted funds were…
— Saga ⛋ (@Sagaxyz__) January 22, 2026
SagaEVM has been paused at block height 6593800 in response to a confirmed exploit on the SagaEVM chainlet.
Mitigation is underway, and the team is fully focused on a solution.
Further updates will follow once details are confirmed.
— Saga ⛋ (@Sagaxyz__) January 21, 2026
The temporary pause in operations reflects a broader industry practice of prioritizing security and transparency following major incidents. By halting activity, the network aims to prevent further exploitation while ensuring that corrective actions are thoroughly tested before normal operations resume.
The funds in the recovery address 0xc22F7346eaF4340f51513bF9f01e5d722E558AB9 have now been distributed pro-rata. Please check your wallets.
If within 24 hours you have not received your WETH, open a Discord ticket.
A full technical post mortem will be coming out next week, as… https://t.co/I6f3Qs3NMG
— Makina (@makinafi) January 23, 2026
Broader Context of DeFi Security Challenges
The SagaEVM incident occurred shortly after another high-profile exploit within the decentralized finance sector. Earlier this week, DeFi protocol Makina disclosed that it had lost nearly $4 million during an attack that unfolded in approximately eleven minutes. Makina reported that multiple threat actors were involved and that the exploit took advantage of vulnerabilities within its protocol logic.
Jan 22, 2026, 13:15 UTC: Funds held by the MEV builder have been returned net of a 10% bounty awarded under the SEAL Whitehat Safe Harbor. This represents approximately 920 ETH of the 1,023 ETH received by the MEV builder, out of a total exploit amount of roughly 1,299 ETH. This…
— Makina (@makinafi) January 22, 2026
In response, Makina stated that it is developing a fix that will undergo auditing before being deployed through a protocol upgrade. This recovery plan is designed to restore confidence among users while addressing the technical weaknesses exposed during the attack.
Rising Frequency of Rapid Exploits
These incidents underscore the growing challenges faced by blockchain networks and DeFi protocols as attackers become faster and more coordinated. The Makina exploit, which occurred in a matter of minutes, and the more complex SagaEVM breach both illustrate how quickly vulnerabilities can be identified and exploited once deployed on-chain.
Security analysts have increasingly noted that cross-chain functionality, while enabling broader interoperability, also expands the attack surface. As protocols integrate with multiple networks and liquidity sources, ensuring comprehensive security across all interaction points becomes more difficult.
Implications for the Ecosystem
The pause of SagaEVM operations and the parallel response by Makina highlight the importance of rapid incident response and transparent communication in maintaining trust within decentralized ecosystems. While neither incident appears to have compromised underlying consensus mechanisms, both demonstrate how application-layer vulnerabilities can result in substantial financial losses.
As recovery efforts continue, these events are likely to prompt renewed scrutiny of smart contract auditing practices, real-time monitoring tools, and defensive design patterns across the DeFi landscape. For networks and protocols alike, strengthening preventative measures may prove critical as decentralized finance continues to expand in scale and complexity.