Saga hacked for 7 million! Stablecoin de-pegged to $0.75, temporarily suspending full-chain operations

Saga遭7 million USD attack, sub-chains emergency pause. Saga Dollar de-pegged to $0.75, TVL evaporated 55% to $16 million. Attacker addresses have been blacklisted, suspected of an infinite minting vulnerability.

Saga halted due to $7 million attack

Layer-1 blockchain protocol Saga has suspended its service on its SagaEVM sub-chain after a $7 million vulnerability attack, which resulted in unauthorized funds being transferred and converted into Ether. The Saga team announced on X forum Wednesday that, in response to this exploit, they have paused the block height of the Ethereum-compatible chain to 6,593,800.

In a subsequent Medium post, the team stated that as part of ongoing investigations, they found that the security incident appears to involve “a series of coordinated contract deployments, cross-chain activities, and subsequent liquidity withdrawals.” They emphasized: “There was no consensus failure, validator compromise, or signer key leakage. The overall structure of the Saga network remains robust.” They also added that additional security measures have been implemented to prevent similar attacks.

This statement attempts to characterize the attack as an exploit at the smart contract layer rather than a failure of the underlying consensus mechanism. For blockchain projects, consensus failures or validator breaches are the most severe security events, as they undermine the trust foundation of the entire network. Saga emphasizes “the overall network structure remains robust,” trying to contain the damage at the application layer and avoid a fatal blow to confidence in the underlying technology.

According to Saga, besides SagaEVM chain, other stablecoins on the platform, Colt and Mustang, were also affected. The chain will remain paused until engineering and security teams complete further investigations and publish a full incident report. Meanwhile, Saga team has identified the addresses where funds were sent and is “working with exchanges and bridges to blacklist these addresses.”

The decision to pause the blockchain itself is quite controversial. In theory, decentralized blockchains should not be stoppable by a single entity, but in practice, many Layer-1 and Layer-2 projects retain emergency stop mechanisms. This centralized control can enable quick damage control during security incidents but also exposes the true nature of these so-called “decentralized” projects. For Saga, choosing to pause the chain is a trade-off: continuing operation might lead to greater losses, while pausing sacrifices decentralization ideals to protect user assets.

Key Data of Saga Attack Event

Loss amount: $7 million

Stablecoin de-pegging extent: from $1 to $0.75 (down 25%)

TVL loss: from $37 million to $16 million (evaporated 55%)

Paused block height: 6,593,800

Affected assets: Saga Dollar, Colt, Mustang stablecoins

Saga Dollar de-pegged to $0.75, confidence collapse

According to data from crypto data aggregator CoinGecko, the protocol’s main USD-pegged stablecoin Saga Dollar de-pegged from the dollar around 10:16 PM Wednesday (UTC), with its price dropping to $0.75. This 25% de-pegging is catastrophic for a stablecoin, as its core value relies on maintaining a 1:1 peg with fiat currency.

There are generally two mechanisms for stablecoin de-pegging. The first is demand-side de-pegging: when a large number of holders panic-sell, market liquidity cannot absorb all sell orders at $1, causing the price to fall below the peg. The second is supply-side de-pegging: when the issuer’s collateralization is insufficient or problematic, it cannot guarantee full redemption at 1:1, leading to loss of confidence in the peg. Saga Dollar’s de-pegging may involve both factors: an attack causing collateral loss (supply-side issue) and panic selling (demand-side issue).

A price of $0.75 means Saga Dollar holders instantly lost 25% of their assets. For users employing stablecoins for payments, lending collateral, or liquidity mining, such losses can trigger chain reactions. Lending protocols using Saga Dollar as collateral may face forced liquidations, liquidity pools’ Saga Dollar value shrinks, amplifying impermanent loss, and recipients in payment scenarios may suffer exchange rate losses.

The platform’s total locked value (TVL) also declined. DeFiLlama estimates Saga’s TVL has dropped from over $37 million to $16 million in the past 24 hours, evaporating about $21 million or 55%. The sharp drop in TVL reflects not only the direct funds lost in the attack but also a collapse in user confidence. Many users, upon hearing the attack news, chose to withdraw assets urgently and transfer out of the Saga ecosystem.

Infinite minting vulnerability suspicion and attack analysis

Saga team has not yet released a post-incident analysis; all third-party theories about the cause of the vulnerability remain unconfirmed. However, initial security researcher analyses provide important clues. Threat researcher Vladimir S stated that the attacker was able to “create Saga Dollars out of thin air” by exploiting an abuse of the IBC mechanism and sending custom messages through an auxiliary contract.

“He bypassed verification in the pre-compiled bridge logic by crafting custom messages or payloads, allowing them to mint $D tokens infinitely without collateral,” he added. This attack method is highly covert and dangerous. IBC (Inter-Blockchain Communication) is a cross-chain protocol enabling data and asset transfer between different blockchains. Attackers, through carefully crafted messages, can bypass verification mechanisms, trick the system into believing they deposited collateral, and in fact, mint stablecoins out of thin air.

Such infinite minting vulnerabilities are not uncommon in DeFi history. Attacks like Mango Markets in 2022 and Cream Finance in 2021 involved similar mechanisms: exploiting contract logic bugs to create assets out of thin air or inflate collateral value. Common features of these attacks include high technical complexity, difficulty in pre-discovery, and large losses.

Meanwhile, an on-chain investigator with the pseudonym Specter speculated that this appears to be “the result of private key leakage,” but also admitted that “information is limited.” Private key leakage is a completely different attack vector, meaning the attacker gained control of a key wallet or smart contract, allowing direct fund transfers or malicious operations. If true, the severity could be even higher, as it involves internal security failures.

Currently, both theories remain unconfirmed by Saga officials. Infinite minting bugs and private key leaks, though different attack paths, both can explain the $7 million loss and stablecoin de-pegging. Saga team promises to release a full incident report, and the truth will be revealed then. For DeFi users, this incident is a reminder of the real risks of smart contracts— even audited protocols can harbor fatal vulnerabilities.

Can Saga restore trust and re-peg stablecoins

Saga team stated they have identified the addresses where funds were sent and are “working with exchanges and bridges to blacklist these addresses.” While such post-hoc measures cannot recover lost funds, they can at least prevent attackers from easily cashing out. If major exchanges and cross-chain bridges blacklist the attacker addresses, stolen funds will be difficult to convert into other assets or fiat.

However, for the Saga ecosystem, a bigger challenge is how to restore user trust and re-establish stablecoin pegs. After Saga Dollar dropped to $0.75, even if the attack is successfully contained, the price will be hard to immediately return to $1. This requires proactive measures from the issuer, such as injecting additional collateral, repurchasing discounted stablecoins from the market, or providing redemption guarantees.

The massive loss of TVL from $37 million to $16 million shows that users have already “voted with their feet.” Even if Saga eventually publishes an incident report and fixes the vulnerabilities, convincing these departed users to return will be extremely difficult. The DeFi market is highly competitive, with countless alternatives; a major security breach often causes permanent damage to a project.