An attacker exploited a validation flaw in Syscoin‘s bridge system, minting approximately 5 billion unauthorized SYS tokens worth nearly $10 million. The incident triggered a nearly 20% price drop for a token already down significantly over recent weeks. The Syscoin team has paused the bridge and is working with exchanges to blacklist the fraudulent funds.
An attacker exploited a validation issue in Syscoin’s bridge relay path, incorrectly accepting a transaction proof to mint about 5 billion unauthorized SYS tokens. The fraudulent output was valued at just under $10 million and sent the token’s price into a nearly 20% freefall.
The Syscoin team revealed the incident in an early postmortem published on X. The stolen funds were sent to a specific address and then split across two other wallets.
Syscoin immediately paused the bridge and contacted exchanges to blacklist deposits connected to the tainted transactions. The team stated it had identified the affected validation path and implemented a fix pending security review.
Blockchain analytics account Hupzy, operated by Spot On Chain, noted the incident was a recurring structural problem. It also noted that while blacklisting may contain secondary damage, the reputational hit to the bridge model will persist.
The exploit occurred while SYS was already down more than 43% in seven days and over 82% in the last month. Much of that decline followed Binance‘s delisting of SYS last month after a review of its listing standards.
The attack is the latest in a string of cross-chain security incidents. They include an $11 million exploit on the Verus network in May and the draining of $7.3 million from over 1,400 DxSale liquidity pools on the BNB Chain.
