Bridge validation flaw allowed 5 billion unauthorized SYS tokens to be minted through UTXO bridge
On June 7, 2026, Syscoin paused its bridge after a transaction-proof validation flaw allowed roughly 5 billion unauthorized SYS tokens to be minted through the UTXO bridge path. The attacker exploited a parsing error in the bridge relay process responsible for proof validation. Instead of creating a fake but valid proof, the attacker created a fake proof structured to take advantage of a flaw in the parsing code. This proof was interpreted as valid for a burn transaction that did not exist, resulting in unauthorized minting on the UTXO side. Syscoin operates a dual-chain system with a Bitcoin-based UTXO chain and an EVM-compatible NEVM chain.
The unauthorized output was initially traced to address sys1qgaelv...9wvcw. The attacker split funds into two tainted addresses: one holding approximately 4 billion SYS and another holding approximately 1 billion SYS. Syscoin asked exchanges and ecosystem partners to blacklist tainted addresses or freeze deposits tied to the tainted UTXO trail. The bridge was paused, a fix was deployed, and the team began tracing funds. No funds were directly stolen from user wallets — this was a supply inflation attack.