Syscoin’s team has recovered and destroyed 5 billion SYS tokens that an attacker minted through a flaw in the project’s cross-chain bridge. Syscoin had to burn the minted tokens to restore it
Syscoin’s team has recovered and destroyed 5 billion SYS tokens that an attacker minted through a flaw in the project’s cross-chain bridge.
Syscoin had to burn the minted tokens to restore its supply to its pre-exploit levels; however, its bridge remains offline.
The Syscoin team stated that they detected the attack on June 7. The attack targeted a gap between how two layers of Syscoin’s infrastructure interpreted the same transaction data.
Syscoin runs a dual-chain architecture that consists of a Bitcoin-based UTXO chain and an Ethereum-compatible smart contract layer called NEVM. Both chains are connected by a bridge that verifies transaction proofs before moving tokens between them.
The project confirmed in a technical postmortem published June 15 that the attacker crafted a transaction containing two asset commitments that both pointed at the same output.
One commitment referenced native SYS, while the other referenced a custom test token the attacker had created.
Syscoin Core and the NEVM relay each parsed the ambiguous payload differently. Core treated the transaction as involving the custom token.
The relay read it as native SYS and instructed the vault contract to release 5 billion tokens.
The attacker had tested the approach first with a smaller probe transaction using a different custom token, according to the postmortem. The main exploit followed with a second custom asset.
After tracing the exploited funds across UTXO addresses, the Syscoin team contacted the attacker on-chain with a recovery address and a warning that exchange escalation and legal action would follow if the tokens were not returned.
The attacker sent the full 5 billion SYS back, according to on-chain records linked in the postmortem.
The team then destroyed the tokens. The burn transaction is publicly viewable on Syscoin’s block explorer.
On June 10, Syscoin posted on X that it had told exchanges they could safely reopen SYS deposits and withdrawals.
The 5 billion minted tokens exceeded Syscoin’s legitimate circulating supply of roughly 891 million SYS by over 5 times, according to CoinMarketCap data.
Those minted tokens were worth around $9 million when the exploit happened.
SYS has struggled through most of 2026. CoinMarketCap lists the token at approximately $0.0026 with a market capitalization of $2.3 million. The token has declined by over 48% over the past 30 days and by over 91% in the past year.
DeFiLlama data shows that Syscoin’s total value locked (TVL) in DeFi protocols had dropped to effectively zero, with only 14 active addresses and 73 transactions recorded over a 24-hour period before the incident.
According to the Syscoin team, every bridge burn proof must map to exactly one asset identity, and both Core and the relay must agree on what that identity is.
The relay now rejects any burn transaction where asset commitments are duplicated, ambiguous, or could resolve inconsistently across layers. Core-side updates are also in progress to reject duplicate asset assignments at the consensus level.
The bridge is still paused, as the Syscoin team stated it is still pending final review. Native SYS deposits at exchanges have resumed, but cross-chain transfers through the bridge are closed until the team completes validation.
PeckShieldAlert data showed 14 major bridge and cross-chain exploits had drained a combined $340.7 million as of June 1, 2026. Around $28.62 million was lost in bridge-related exploits in May alone, the largest category by dollar amount that month.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
