SagaEVM (Saga chainlet)

Method: Ethermint IBC-message-validation bypass via a helper contract abusing custom IBC messages, enabling unlimited mint of the Saga Dollar stablecoin without collateral backing. Root cause: SagaEVM's underlying Ethermint stack contained an IBC-message-validation bypass: the attacker crafted custom IBC messages handled by a helper contract that abused the IBC token-creation path to mint stablecoin (the Saga Dollar 'D' token) WITHOUT posting collateral. The vulnerability lived in the validation logic for cross-IBC message handling — the bytecode validated structure but not economic preconditions on the mint operation. With unbacked D tokens in hand, the attacker bridged them to Ethereum and swapped via Uniswap V4 for ~2,000 ETH (~$6M) plus other assets, ultimately routing $6.2M into Tornado Cash. The Saga Dollar stablecoin lost its peg ($1.00 → $0.75) as the unbacked supply hit secondary markets. Saga halted the SagaEVM chainlet at block 6,593,800 to stop further drains. TVL dropped from ~$36M to ~$21M (-42%). Total realized loss ~$6.8-7M. Narrative: Saga halted the SagaEVM chainlet on 2026-01-22 at block 6,593,800 after the unbacked-mint attack. Attacker bridged minted tokens to Ethereum, swapped via Uniswap V4 for ~2,000 ETH and other assets, deposited $6.2M into Tornado Cash. Saga Dollar lost its peg ($1.00 → $0.75) as supply expanded. TVL fell from ~$36M to ~$21M (-42%). Notes: Cosmos/Ethermint ecosystem incident. Cross-IBC validation surface is the relevant attack class; future Ethermint deployments should review IBC handler economic preconditions, not just structural validation.