In September 2025, Yala, a stablecoin protocol, was the victim of a hack involving compromised keys. The attacker took advantage of the access these keys provided to set up a cross-chain bridge and drain an estimated $7.64 million in USDC from the protocol.
Inside the Attack
The Yala hack began in August 2025, when the attacker took advantage of temporary deployment keys during the deployment of Yala’s Solana Layer Zero OFT. During this event, the attacker created a connection between Solana to the legitimate OFTU token contract hosted on Polygon.
The next stage of the attack occurred in September, when the attacker used the 40-day dormant backdoor to create another connection from a malicious OFTU token contract that they deployed on Polygon to the legitimate $YU LayerZero OFT bridge on Polygon. This allowed the attacker’s malicious tokens to be bridged from Polygon to Solana while masquerading as legitimate $YU tokens.
Then, the attacker performed four transactions, minting a total of 120 million OFTU. Of these, 30 million OFTU were bridged to Solana, creating 30 million over-minted $YU. Of these, approximately 22.2 million were later returned to Yala, while the remaining 7.7 million were converted to Ethereum and laundered via Tornado Cash.
After discovering the attack, Yala disabled conversion and bridging to prevent additional thefts and worked to contain the attack and block minting and transfers. It also destroyed all illegal $YU tokens to help protect its peg.
Lessons Learned from the Attack
The Yala hack is an example of a carefully planned and sophisticated attack exploiting access to the project’s private keys. The attacker initially created malicious contracts and an unauthorized bridge in August 2025, during the deployment of the protocol’s legitimate bridge. Over a month later, they took advantage of this infrastructure to perform unauthorized minting of $YU tokens for a profit.
This incident also demonstrates the potential impacts of compromised private keys on a project. While the attacker successfully transferred and laundered approximately $7.64 million in stolen tokens, they had minted about 120 million. If the attacker chose to bridge and launder all of the tokens they created, the impacts on Yala and its users would have been much worse.
As attackers increasingly target off-chain security lapses, such as inadequate private key security, DeFi projects need to improve their defenses to avoid being the target of similar attacks. Halborn offers advisory services designed to help organizations implement security best practices both on-chain and off-chain. Get in touch to learn more about our services.