Yala Hacker Sells $7.7M in Tokens After Minting 120M YU on Polygon
Yala’s post-mortem reveals a hacker misused a temporary deployment key to drain $7.64M USDC, with recovery steps including token burns, liquidity restoration, and user compensation scheduled for September 23.
Yala has released a post-mortem report detailing the September 14 attack, where a hacker exploited a temporary deployment key during bridge deployment to create an unauthorized cross-chain bridge and extract $7.64 million USDC, equal to about 1,636 ETH. The attacker overissued 30 million YU on Solana, later returning 22.287 million YU, while 7.713 million YU were converted to ETH. The exploit caused YU to briefly depeg to $0.20 before recovering to $0.94, with Yala confirming no protocol vulnerabilities and unaffected Bitcoin reserves. On September 23, all illicitly minted YU will be burned, liquidity restored, and 1:1 USDC redemption reinstated. Compensation claims for wrongful liquidations from the depeg will also open the same day.
- USDC: A U.S. dollar–pegged stablecoin used for transactions and trading in the crypto ecosystem.
- Cross-chain Bridge: A protocol mechanism that allows assets to be transferred between different blockchain networks.
- Deployment Key: A temporary or permanent cryptographic key used during protocol or contract deployment that grants high-level permissions.