Yala Protocol Dormant OFTU Unauthorized Mint And Bridge

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:48, 10 October 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/yalaprotocoldormantoftuunauthorizedmintandbridge.php}} {{Unattributed Sources}} thumb|Yala Logo/HomepageYala, a platform that allows users to collateralize Bitcoin for its stablecoin $YU, experienced a security breach when a developer exploited temporary deployment keys to set up an unauthorized cross-chain bridge. This hack led to the extraction of approximately 7....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Yala Logo/Homepage

Yala, a platform that allows users to collateralize Bitcoin for its stablecoin $YU, experienced a security breach when a developer exploited temporary deployment keys to set up an unauthorized cross-chain bridge. This hack led to the extraction of approximately 7.64 million USDC (~1,636 ETH). In response, Yala engaged top security firms, disabled key functions, and implemented safeguards to contain the breach. The platform has since launched a recovery plan that includes burning all illegally minted $YU, restoring liquidity, and allowing users to swap $YU for USDC at a 1:1 ratio. Additionally, Yala will conduct an audit and implement stronger monitoring to prevent future incidents, ensuring user protection and system stability moving forward.[1][2][3][4][5][6][7]

About Yala Protocol

Yala, a platform that allows users to over-collateralize Bitcoin (BTC) in exchange for $YU—its stablecoin—aims to unlock cross-chain liquidity for DeFi protocols and real-world assets (RWAs). Yala emphasizes self-sovereignty, offering low liquidation risk and full exposure to Bitcoin. The platform operates a flywheel model where long-term BTC demand drives liquidity, adoption, and overall growth.

As part of its strategy, Yala provides tailored yield options through its Pro, Lite, and Institution Modes. With a total value locked (TVL) of $184.82 million and a $YU yield of up to 60.01%, users can explore a range of opportunities in DeFi and RWAs, supported by leading partners in the ecosystem. Yala’s mainnet unlocks Bitcoin’s untapped liquidity, facilitating both high yield generation and easy cross-chain movement.

The Reality

Unfortunately, one of the Yala Protocol developers wasn't fully honest.

What Happened

A developer exploited temporary deployment keys to set up an unauthorized cross-chain bridge, extracting 7.64 million USDC (~1,636 ETH) through the Yala protocol.

Key Event Timeline - Yala Protocol Dormant OFTU Unauthorized Mint And Bridge
Date Event Description
August 4th, 2025 8:46:47 AM MDT Malicious OFTU Contract Deployed A malicious OFTU token contract was deployed on Polygon by the hacker, establishing the foundational infrastructure for the future exploit.
August 11th, 2025 6:47:22 PM MDT Temporary Local Key Deployed During the authorized deployment of Yala’s Solana LayerZero OFT, the hacker secretly exploited a temporary local key to create a peer connection from Solana to the trusted OFTU token contract on the Polygon chain. (Context: temporary single-key deployments were required during the initial phases of the contract upgrade process).
September 13th, 2025 1:20:10 PM MDT Dormant Backdoor Activated The hacker activated the 40-day dormant backdoor by configuring the final peer connection from the malicious Polygon OFTU contract to Yala's production $YU LayerZero OFT bridge on Solana, allowing the hacker to bridge malicious tokens from Polygon to Solana disguised as legitimate $YU tokens.
September 13th, 2025 1:44:10 PM MDT Malicious Tokens Minted 120,000,000 OFTU (malicious tokens) were minted in four transactions on Polygon.
September 13th, 2025 2:07:28 PM MDT LayerZero to Solana Bridging 30,000,000 OFTU were bridged via LayerZero to Solana, resulting in 30,000,000 $YU over-minted on Solana.
September 13th, 2025 2:09:34 PM MDT Solana To Ethereum Bridge Out of the 30,000,000 in malicious $YU, 10,000,000 $YU were bridged from Solana to Ethereum.
September 13th, 2025 2:11:52 PM MDT Raydium Swap Performed 2,000,000 $YU were swapped for 1,996,868 USDC on Raydium.
September 13th, 2025 2:13:35 PM MDT Yala PSM Protocol Used 5,213,000 $YU were converted to USDC through the Yala PSM protocol.
September 13th, 2025 2:19:23 PM MDT USDC Swapped To Ethereum 7,642,852 USDC were swapped for 1,635.572 ETH in four transactions via Uniswap.
September 13th, 2025 2:25:06 PM MDT USDC Bridge To Ethereum 1,800,000 USDC were bridged to Ethereum in two transactions via CCTP.
September 13th, 2025 2:25:27 PM MDT YU Were Swapped 500,000 $YU were swapped for 490,697 USDC on Raydium.
September 13th, 2025 2:40:49 PM MDT Another Ethereum Bridge 629,955 USDC were bridged to Ethereum via CCTP.
September 13th, 2025 2:45:47 PM MDT TornadoCash Laundering Begins Stolen funds began to be laundered through Tornado Cash.
September 13th, 2025 9:44:00 PM MDT Yala Tweet Posted Yala posts an update about an "attempted attack that briefly impacted YU's peg".
September 16th, 2025 5:30:17 AM MDT Yala Cubist Wallet Solana Hacker sent over-minted 17,500,000 $YU to Yala Cubist wallet on Solana.
September 16th, 2025 5:37:23 AM MDT Yala Cubist Wallet Ethereum Hacker sent over-minted 4,787,000 $YU to Yala Cubist wallet on Ethereum.
September 16th, 2025 12:57:00 PM MDT Yala Post-Mortem Published Yala Publishes their post-mortem with an overview of the incident, current status, and steps forward.
September 23rd, 2025 7:06:00 AM MDT Yala Back To Normal In a tweet announcement, Yala reports that "$YU has fully recovered and the Yala protocol is operating as normal."

Technical Details

"A hacker abused temporary deployment keys during authorized bridge deployment, set up an unauthorized cross-chain bridge, and extracted 7.64M USDC (~1,636 ETH)."

Hacker Addresses:

Polygon: 0x55d67b5e0e1c88f48c8a9d978ea76b9ec9d488a9

Solana: 87pS8qCum6qaSszbvoARBmFg1Mh1cqcE4ZTAsXfejBMz

ETH: 0x29F48B783EF90F81B51242D9a55e022A214274F5

Total Amount Lost

Losses are the amount Already used by hacker: 7,712,999.80006 $YU. Other minted YU were unable to be redeemed.

The total amount lost has been estimated at $7,713,000 USD.

Immediate Reactions

Immediately after detecting suspicious activity, Yala engaged top-tier blockchain security firms, SlowMist and Fuzzland, to conduct a root cause analysis and prevent any further impact. Their expertise was enlisted to understand the exploit thoroughly and begin mitigating the associated risks.

To prevent additional user exposure, Yala promptly disabled the ‘Convert’ and ‘Bridge’ functions, which were identified as potential vectors for the exploit. At the same time, the team worked quickly to contain the breach by halting unauthorized minting and transfers. Protective safeguards were deployed across the platform to secure liquidity and maintain systemic stability during the incident.

Yala also mobilized forensic partners to track on-chain activity and gain a clear picture of how the exploit occurred, who it affected, and whether it had any cross-chain consequences. Upon identifying the individual behind the hack, Yala coordinated efforts with both local and international law enforcement agencies to pursue legal action and support recovery efforts. This rapid, multi-pronged response reflects Yala’s commitment to user safety and the resilience of its ecosystem

Ultimate Outcome

To mitigate the impact of the incident, Yala has established several core principles to guide the recovery process. First and foremost, the platform is committed to protecting all users from any potential losses. As part of this commitment, all illegally generated $YU will be burned, eliminating any unauthorized tokens from circulation.

Total Amount Recovered

Yala has outlined a clear and structured recovery plan following the security breach. On September 23, 2025, all illegally minted $YU will be destroyed, and the liquidity will be fully restored. This will enable all users to swap their $YU for USDC at a 1:1 ratio, ensuring that affected users can recover their assets.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

To further enhance security and prevent future incidents, Yala will implement extra monitoring for admin actions, bridge statuses, and contract updates. The team will act swiftly but with careful consideration to ensure fairness for all users, making sure that the recovery process is as transparent and equitable as possible. This recovery plan reflects Yala’s dedication to maintaining the trust of its users and securing the long-term stability of the platform.

Yala will conduct a thorough audit of contracts and bridge settings, involving both internal engineers and external security experts like Fuzzland and Cubist to ensure the platform's integrity is restored.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Yala Post Mortem (Accessed Sep 26, 2025)
  2. Yala Protocl - "Our protocol recently experienced an attempted attack that briefly impacted YU’s peg. Thanks to the quick collaboration with @SlowMist_Team and our security partners, we’ve identified the issue and are already rolling out improvements to strengthen the system." - Twitter/X (Accessed Sep 26, 2025)
  3. Yala Protocol - "We’ve published our Post-Mortem Report on the Sept 14 incident. It details the timeline, analysis, and our recovery plan." - Twitter/X (Accessed Sep 26, 2025)
  4. Yala Protocol - "Following the $YU liquidity incident on September 14, 2025, the following measures have now been completed to ensure the continued strength and reliability of the Yala protocol." - Twitter/X (Accessed Sep 26, 2025)
  5. Yala Protocol - "$YU has fully recovered and the Yala protocol is operating as normal." - Twitter/X (Accessed Sep 26, 2025)
  6. Yala Homepage (Accessed Sep 26, 2025)
  7. Yala Protocol - Twitter/X (Accessed Sep 26, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Yala_Protocol_Dormant_OFTU_Unauthorized_Mint_And_Bridge&oldid=6928"