The team has the vulnerability that led to the exploit and is expected to publish a comprehensive technical post-mortem once remediation is complete.
$6.2 million of the funds stolen during the SagaEVM exploit has been traced to deposits into Tornado Cash, a privacy mixer on Ethereum that helps obscure transaction trails.
The tactic is common among hackers trying to launder considerable stolen funds and make recovery almost impossible.
The exploit that targeted SagaEVM, described as an L1 to launch L1s, occurred on January 21. After the incident, the team posted on X that the L1 had been paused at block height 6593800 in response to the confirmed exploit on the SagaEVM chainlet.
How the hackers laundered the stolen funds
According to the report by blockchain security firm CertiK, the attackers initially distributed the funds across five separate wallets before they funneled them into the privacy mixer via multiple transactions.
“Mitigation is underway, and the team is fully focused on a solution,” the team wrote at the time.
The exploit saw nearly $7,000,000 in USDC, yUSD, ETH, and tBTC transferred to the Ethereum mainnet. The exploiter’s wallet had been identified and fed to exchanges and bridges to blacklist it and possibly reclaim the stolen funds.
According to Certik’s report, $6.2 million out of those funds is what has now been split into deposits fed into the Tornado Cash mixer. This is expected to frustrate remediation and recovery efforts.
The latest deposit adds to the notoriety of Tornado Cash, adding to a past checkered with US sanctions and legal issues still plaguing its developers.
Attackers continue to use it to obscure their trails post-exploit, and it does exactly what it was designed to do — help them disappear.
What happened to SagaEVM?
According to a post-mortem the team shared on January 21, the incident involved a coordinated sequence of contract deployments, cross-chain activity, and subsequent liquidity withdrawals.
The document revealed that the team paused the chain out of an abundance of caution while they actively investigated and mitigated. It revealed the focus was stopping further impact by keeping SagaEVM paused while mitigation is implemented; validating the full blast radius using archive data and execution traces; and hardening the relevant components before a restart.
The main components affected by the exploit include the SagaEVM chainlet, as well as Colt and Mustang. Others, like the Saga SSC mainnet, Saga protocol consensus, validator security, and other Saga chainlets, went unaffected.
“There has been no consensus failure, validator compromise, or signer key leakage,” the document read. “The broader Saga network remains structurally sound.”
The team claimed its next steps would be to complete root cause validation, patch and harden affected cross-chain and deployment components, coordinate with ecosystem partners where relevant, and publish a more comprehensive technical post-mortem.
Vulnerability links back to Cosmos
After receiving support from Cosmos Labs engineers, the team has revealed that the issue originated from the original Ethermint codebase, making it an inherited issue.
In response to that post, Cosmos Labs shared a statement, admitting they are aware of the incident and claiming they have been working closely with Saga and external security partners to investigate and remediate the “confirmed vulnerability.”
They revealed they had contacted a subset of EVM chains they deemed affected by the incident and provided short-term mitigations.
“As always, we recommend all projects continue to implement baseline security practices such as rate-limiting and security monitoring to strengthen early detection and mitigation,” they wrote on X.
Join a premium crypto trading community free for 30 days – normally $100/mo.
