Yala Exploit

On September 14, 2025, Yala—a Bitcoin-backed overcollateralized stablecoin protocol (Polychain-funded, mainnet July 2025) enabling BTC DeFi via YBTC wrapping and $YU minting (1:1 USDC redeemable) across Ethereum/Polygon/Solana—lost $7.7M in an unauthorized minting attack on Polygon, where a hacker abused temporary deployment keys during bridge setup to forge a cross-chain bridge, minting 120M unbacked $YU (~$120M face value) without BTC collateral, bridging/selling 7.71M $YU for 7.7M USDC via Uniswap/Jupiter, swapping to 1,501 ETH laundered through Tornado Cash/FixedFloat/deBridge, and holding 22.29M $YU (ETH/Solana) + 90M $YU (Polygon) as a potential dump threat—crashing $YU from $1 to $0.20 (volume +500%, liquidity $355k). SlowMist/Lookonchain flagged; Yala paused Convert/Bridge (BTC vaults self-custodial/safe), coordinated with law enforcement/exchanges for freezes, and pledged 1:1 USDC redemptions via pool restoration/illegally-minted burn (Sep 23), plus monthly $750k revenue for ops—$YU stabilized at $0.7869 amid $3.1B H1 2025 losses. This deployment flaw—bypassing collateral checks—exposes multi-chain minting risks, urging timelocked keys, multi-sig mints, and invariant audits to avert $7.7M depegs in BTC DeFi.