A significant security breach occurred on Sunday affecting the Yala protocol, leading to a collapse in its Bitcoin-backed stablecoin, YU, which plummeted from its $1.00 target to just $0.20.
The breach resulted in the loss of $7.7 million from the protocol due to a sophisticated cross-chain attack that generated 120 million unauthorized tokens. This incident stands out as one of the most notable stablecoin failures in recent months. Although YU has partially bounced back to around $0.78, it remains significantly below its intended $1.00 value, putting considerable strain on the fledgling protocol, which had raised $8 million from prominent investors like Polychain Capital just months prior.
Attack Overview
The attacker employed a complex, multi-step approach to siphon funds from Yala. Based on blockchain data from analytics firm Lookonchain, the assailant first minted 120 million YU tokens on the Polygon network without required authorization.
Next, the hacker transferred 7.71 million of these tokens across Ethereum and Solana, converting them into 7.7 million USDC stablecoins. They promptly swapped the USDC for 1,501 Ethereum tokens and diversified the funds among multiple wallets to hinder traceability.
The attacker still holds 22.29 million YU tokens on Ethereum and Solana and an additional 90 million YU tokens on Polygon, potentially allowing for further token dumps that could further decrease the price.
Response and Mitigation Efforts
Vicky Fu, co-founder of Yala, confirmed the attack and stated that the team is collaborating with security firms SlowMist and Fuzzland to investigate the breach. To prevent further damage, they immediately disabled their Convert and Bridge functions.
“All funds are safe. Bitcoin deposited to Yala is either held in self-custody or in vaults, with nothing lost,” the team announced on X (formerly Twitter). They reassured that user Bitcoin holdings remain secure, even as the YU stablecoin has deviated from its peg.
Liquidity Issues Exacerbate Challenges
YU now faces a severe liquidity crisis, complicating recovery efforts. The protocol presently possesses only $784,000 in USDC available for trading on Ethereum, according to official reports. This limited liquidity makes it extremely difficult for the stablecoin to regain its $1.00 peg in the short-term.
Despite boasting a market cap of $119 million, YU’s trading liquidity reveals a stark disparity. This gap between projected and actual trading capacity demonstrates the fragility of smaller stablecoins during such attacks, where significant selling pressure could dramatically reduce the price.
What Sets YU Apart
YU operates as an over-collateralized stablecoin backed by Bitcoin reserves, allowing users to deposit Bitcoin to mint YU tokens. This unique structure facilitates liquidity for DeFi activities without forfeiting custody of their Bitcoin.
Unlike popular stablecoins such as USDT and USDC, which are backed by conventional assets like cash and treasury bills, YU’s Bitcoin backing offers advantages like self-custody and eliminates the risk of liquidation. The protocol aims to unlock the utility of Bitcoin for decentralized finance without compelling users to sell their holdings.
Wider Market Ramifications
The YU attack underscores the persistent security vulnerabilities within the stablecoin sector. Even established stablecoins have encountered similar difficulties, such as Tether’s temporary depeg in 2023 due to trading pool imbalances.
Given YU’s smaller scale compared to major stablecoins like USDT ($170 billion) and USDC ($73 billion), it was an easier target. Smaller platforms often lack the security measures and resources that protect larger protocols. As the total stablecoin market approaches $300 billion in value, the impact of security failures on market confidence is growing.
Path to Recovery
Yala faces significant hurdles in restoring confidence in YU. The protocol needs to address security vulnerabilities, rebuild trading liquidity, and ensure users that their funds are safe. The team has not specified a timeline for resuming full functionality, leaving YU holders with tokens trading at a substantial discount from their intended value.
This incident serves as a reminder of the inherent risks associated with decentralized finance, despite its innovative promises. Users must carefully consider the security and liquidity of newer protocols before making large fund commitments.
