The Yala Protocol Attack: How an Exploit Caused a Stablecoin to Crash

The Yala protocol has suffered a devastating blow to its ecosystem: on September 14, its Bitcoin-backed stablecoin YU collapsed by nearly 80%—plunging from $1 to $0.20—after attackers exploited a vulnerability in the system. The company described the incident as an “attempted attack,” yet the consequences proved catastrophic for the token’s value.

According to Lookonchain, unknown actors exploited a flaw in Yala’s cross-chain bridge, allowing them to mint roughly 120 million YU on the Polygon network. A portion of these tokens was transferred to Ethereum and Solana, where the attackers swapped 7.71 million YU for 7.7 million USDC. The funds were then funneled through a series of wallets and converted into 1,501 ETH. The attackers still hold 22.29 million YU on Ethereum and Solana, along with 90 million unredeemed tokens on Polygon.

Developers immediately disabled the Convert and Bridge functions to prevent further manipulation. The company stressed, however, that all Bitcoin reserves backing the stablecoin remained secure in vaults and self-custodied wallets. External blockchain security specialists have been engaged to investigate the breach.

In the aftermath, YU briefly recovered, climbing to $0.917, but failed to hold ground and is now trading around $0.79. The principal driver of instability has been limited liquidity reserves: the main pool on Ethereum held just $340,000 USDC, leaving the token’s price vulnerable to extreme swings during high-volume trades.

Major exchanges, including Bybit and OKX, suspended YU deposits and withdrawals, citing “network instability.” This decision effectively deprived traders of the ability to use arbitrage to restore the token’s dollar peg.

The incident echoes earlier infinite-mint exploits targeting bridges—most notably the Nomad Bridge hack of 2022, which caused losses of $190 million. Cross-chain vulnerabilities continue to represent the Achilles’ heel of such projects, with bridge exploits now among the gravest threats to the DeFi ecosystem.

During the attack, YU trading volume spiked 500%, as opportunistic players sought to capitalize on the volatility. Importantly, Yala’s Bitcoin reserve remained untouched—the damage was inflicted squarely on the smart contracts. Launched in early 2024 with backing from Dragonfly Capital and Polygon Ventures, the project positioned YU as a more reliable alternative to fiat-backed stablecoins, anchored directly to BTC. That promise of resilience now stands in serious doubt.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy