Announcements

Yala Post Mortem | September 14th

Yala 🏔️

5 min read
Yala Post Mortem | September 14th

This has been the most difficult moment in Yala’s journey. Like many of you, we feel the full weight of this incident: not only as builders but also as members of this community. From the beginning, our deepest concern has not been the financial loss, but how to face the community that placed its trust in us.

We recognize that this event has shaken confidence and take full responsibility for the pain it has caused. Yet despite the depth of this setback, we have chosen to confront it openly, to rebuild stronger, and to remain steadfast in our conviction in Bitcoin and in the vision that gave life to Yala.

TL;DR: Next Tuesday (9/23), $YU will have full liquidity restored and return to its peg.

I. Incident overview

A hacker abused temporary deployment keys during authorized bridge deployment, set up an unauthorized cross-chain bridge, and extracted 7.64M USDC (~1,636 ETH).

  • $YU briefly depegged to $0.20 before stabilizing at $0.94.
  • No protocol vulnerability was exploited, and no Bitcoin reserves were compromised.

Timeline of events:

  • 2025-08-04 14:46:47 UTC — A malicious OFTU token contract was deployed on Polygon by the hacker, establishing the foundational infrastructure for the future exploit.
  • 2025-08-12 00:47:22 UTC — During the authorized deployment of Yala’s Solana LayerZero OFT, the hacker secretly exploited a temporary local key to create a peer connection from Solana to the trusted OFTU token contract on the Polygon chain. (Context: temporary single-key deployments were required during the initial phases of the contract upgrade process).
  • 2025-09-13 19:20:10 UTC — The hacker activated the 40-day dormant backdoor by configuring the final peer connection from the malicious Polygon OFTU contract to Yala's production $YU LayerZero OFT bridge on Solana, allowing the hacker to bridge malicious tokens from Polygon to Solana disguised as legitimate $YU tokens.
  • 2025-09-13 19:44:10 UTC120,000,000 OFTU (malicious tokens) were minted in four transactions on Polygon.
  • 2025-09-13 20:07:28 UTC30,000,000 OFTU were bridged via LayerZero to Solana, resulting in 30,000,000 $YU over-minted on Solana.
  • 2025-09-13 20:09:34 UTC — Out of the 30,000,000 in malicious $YU, 10,000,000 $YU were bridged from Solana to Ethereum.
  • 2025-09-13 20:11:52 UTC2,000,000 $YU were swapped for 1,996,868 USDC on Raydium.
  • 2025-09-13 20:25:06 UTC1,800,000 USDC were bridged to Ethereum in two transactions via CCTP.
  • 2025-09-13 20:25:27 UTC500,000 $YU were swapped for 490,697 USDC on Raydium.
  • 2025-09-13 20:40:49 UTC629,955 USDC were bridged to Ethereum via CCTP.
  • 2025-09-13 20:13:35 UTC5,213,000 $YU were converted to USDC through the Yala PSM protocol.
  • 2025-09-13 20:19:23 UTC7,642,852 USDC were swapped for 1,635.572 ETH in four transactions via Uniswap.
  • 2025-09-13 20:45:47 UTC — Stolen funds began to be laundered through Tornado Cash.
  • 2025-09-16 11:30:17 UTC — Hacker sent over-minted 17,500,000 $YU to Yala Cubist wallet on Solana.
  • 2025-09-16 11:37:23 UTC — Hacker sent over-minted 4,787,000 $YU to Yala Cubist wallet on Ethereum.

Hacker addresses:

Polygon

0x55d67b5e0e1c88f48c8a9d978ea76b9ec9d488a9

Solana

87pS8qCum6qaSszbvoARBmFg1Mh1cqcE4ZTAsXfejBMz

ETH

0x29F48B783EF90F81B51242D9a55e022A214274F5

Current status of funds

Following the unauthorized over-minted of 30,000,000 YU to Solana, the hacker has returned a substantial portion of the assets. The current state is as follows:

  1. Total Returned: 22,287,000 $YU
  • 17,500,000 $YU on Solana (SOL)
  • 4,787,000 $YU on Ethereum (ETH)
  1. Remaining converted by the hacker: 7,713,000 $YU to 1,635.572 ETH 
  • Mixed via Tornado Cash: 151.5 ETH
  • Still held in 146 hacker-controlled, distributed wallets: 1474.6 ETH

II. Immediate response

Following initial notice of events, Yala immediately: 

  • Engaged security specialists (SlowMist, Fuzzland) for root cause analysis and impact prevention.
  • Disabled the ‘Convert’ and ‘Bridge’ functions to halt further user exposure.
  • Contained the exploit to stop unauthorized minting and transfers. Deployed protective safeguards to secure liquidity and preserve systemic integrity.
  • Mobilized forensic partners to trace on-chain activity, analyze the exploit, and assess cross-chain/user impact.
  • Coordinated with local and international law enforcement after identifying the hacker.

III. Recovery plan

On September 23, 2025 (next Tuesday), all illegally generated $YU will be destroyed, and liquidity will be fully restored: every user will be able to swap $YU for USDC at a 1:1 ratio.

Our core principles in mitigating this incident are as follows:

  • Protect all users from any potential losses 
  • Burn all the illegally minted $YU
  • Audit contracts and bridge settings with internal engineers and external experts (Fuzzland, Cubist)
  • Implement extra monitoring for admin actions, bridge status, and contract updates
  • Act quickly while maintaining fairness

Breakdown of illegitimate $YU:

  1. Polygon (90,000,000 OFTU) – Access to the Yala $YU bridge has been disabled after shutting down the illegal bridge (Polygon)
  2. Cross-chained but unused $YU - under Yala’s control and will be burnt on September 23, 2025.
  • Ethereum: 4,787,000.1 $YU (Ethereum)
  • Solana: 17,500,000.09994 $YU (Solana)
  1. Already used by hacker: 7,712,999.80006 $YU
  • Yala will repurchase/collect the same amount (via PSM USDC conversions, DEX purchases, and other methods) and burn them on September 23, 2025.

After these steps, all illegitimate $YU will be fully removed from circulation, ensuring that every remaining $YU is valid and backed by sufficient debt or underlying assets. Liquidity will be restored, allowing users to safely exit positions.

Liquidation penalty compensation:

We are aware that some users were unfairly liquidated due to YU’s de-peg and incurred penalties. 

  • Starting September 23, 2025, Yala will open a claims process for liquidation penalty compensation. 
  • Users should contact Yala staff via Discord to register and confirm their claims. 
  • Because each case requires manual review, processing may take 1-4 weeks.

IV. Our commitment

This incident has reinforced a hard truth: trust must never rest on individuals, but on verifiable processes and shared accountability. Building on our existing security infrastructure, including smart contract audits, multisig treasury management, and operational protocols, we are implementing advanced systematic measures that address evolving security challenges. These comprehensive upgrades ensure that no single point of failure can compromise Yala again.

Key action items include:

  1. Real-time operational monitoring: We will partner with Fuzzland to implement advanced on-chain monitoring, providing full visibility into all smart contract changes, admin updates, and privileged operations across our protocols
  2. Third-party bridge security validation: We have engaged several external security teams as our specialized auditing partner to conduct thorough reviews of all bridge configurations, peer settings, and cross-chain infrastructure. Their audit will confirm no unauthorized connections exist and establish ongoing monitoring for future bridge changes, ensuring full transparency and security
  3. Addressing industry limitations: This incident highlighted the evolving nature of cross-chain security requirements, particularly around multisig authorization for complex smart contract operations across different blockchain architectures. We have partnered with Cubist to implement true multi-party control and strengthen governance.
  4. Continuous security validation: We perform quarterly security assessments with rotating third-party auditors to ensure fresh perspectives. These reviews go beyond smart contract audits to cover operational security, process compliance, and team practices. Each quarter focuses on different areas, namely infrastructure, operations, strategy, and security culture, creating a continuous improvement cycle.

V. Conclusion

This incident did not arise from the protocol or smart contract exploit. Immediate containment measures were taken, and structural improvements are already underway to prevent recurrence. Yala remains fully committed to protecting user assets, strengthening governance and security, and maintaining transparent communication.

Our priority is to restore confidence in the protocol and the team behind it, safeguard the community’s long-term trust, and ensure Yala emerges stronger and more resilient. We will continue to provide clear updates as forensic investigations and independent audits progress.

The trust you place in us means everything, and we will not stop until every user is made whole. This event has tested us, but it has also reinforced our conviction in Bitcoin and the mission on which Yala was built.

User actions:

  • If you did not move your YU/YBTC after the attack, you can redeem directly
  • If you did, you will need to submit a claim with transaction details
  • Official redemption and claim instructions will follow across social media and website. Stay tuned.