The attack drained $7.7 million from the protocol through a sophisticated cross-chain exploit that minted 120 million unauthorized tokens.
The incident marks one of the most significant stablecoin failures in recent months. YU has only partially recovered to around $0.78, far below its intended $1.00 peg. This puts serious pressure on the young protocol, which raised $8 million from major investors including Polychain Capital just months ago.
The attacker used a complex multi-step process to drain funds from Yala. According to blockchain data from analytics firm Lookonchain, they first minted 120 million YU tokens on the Polygon network without proper authorization.
The hacker then moved 7.71 million of these tokens across Ethereum and Solana networks, selling them for 7.7 million USDC stablecoins. They quickly converted this USDC into 1,501 Ethereum tokens and spread the funds across multiple wallets to make tracking harder.
The attacker still controls 22.29 million YU tokens on Ethereum and Solana, plus another 90 million YU tokens sitting on Polygon. This means they could potentially dump more tokens and push the price down further.
Yala co-founder Vicky Fu confirmed the attack and said the team is working with security firms SlowMist and Fuzzland to investigate what went wrong. The protocol immediately disabled its Convert and Bridge functions to prevent more damage.
Source: @yalaorg
“All funds are safe. Bitcoin deposited to Yala remains self-custodial or in vaults, with none lost,” the team posted on X (formerly Twitter). They emphasized that user Bitcoin holdings stayed secure, even though the YU stablecoin lost its peg.
The protocol shut down key features as a safety measure while they fix the security holes. Only basic functions remain active while the investigation continues.
YU faces a serious liquidity problem that makes recovery harder. The protocol currently has only $784,000 in USDC available for trading on Ethereum, according to official data. This tiny amount makes it nearly impossible for the stablecoin to regain its $1.00 peg quickly.
Despite claiming a $119 million market cap, YU’s actual trading liquidity tells a different story. The gap between paper value and real trading capacity shows how vulnerable smaller stablecoins can be during attacks.
Large holders trying to sell YU tokens face major problems. Without enough buyers in the market, any significant selling pressure pushes the price down dramatically.
YU operates as an over-collateralized stablecoin backed by Bitcoin reserves. Users deposit Bitcoin as collateral to mint YU tokens, keeping custody of their original Bitcoin while accessing liquidity for DeFi activities.
This system differs from popular stablecoins like USDT and USDC, which are backed by traditional assets like cash and Treasury bills. YU’s Bitcoin backing was supposed to offer advantages like self-custody and no liquidation risk.
The protocol aims to unlock Bitcoin’s value for decentralized finance without forcing users to sell their holdings. Bitcoin owners can earn yields on their assets while maintaining exposure to Bitcoin’s price movements.
The YU attack highlights ongoing security challenges in the stablecoin sector. Even established stablecoins have faced similar problems, including Tether’s temporary depeg in 2023 when trading pools became unbalanced.
YU’s small size compared to major stablecoins like USDT ($170 billion) and USDC ($73 billion) made it an easier target. Smaller protocols often lack the resources and security measures that protect larger platforms.
The incident comes as the total stablecoin market approaches $300 billion in value. Growing institutional adoption makes security failures more damaging to overall market confidence.
Cross-chain attacks like the one hitting Yala are becoming more common as hackers target the complex bridges connecting different blockchain networks. These systems create new attack surfaces that traditional single-chain protocols don’t face.
Yala faces major challenges restoring confidence in YU. The protocol must fix the security vulnerability, rebuild trading liquidity, and convince users that their funds remain safe.
The team has not provided a timeline for restoring full functionality. Until then, YU holders remain stuck with tokens trading well below their intended value.
The attack serves as another reminder that decentralized finance still carries significant risks despite its promises of innovation and financial freedom. Users must carefully evaluate the security and liquidity of newer protocols before committing large amounts of funds.
Also read: Hamster Kombat Daily Combo 15 September 2025: Play To Earn
