BlueBerry Protocol

avoid.net/blueberry→32/100·78% conf.

[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]

32/100

[WARNING]78% conf.

Summary

Blueberry Protocol is an Ethereum-based decentralized leveraged yield farming and prime brokerage protocol developed by Composable Corp. In February 2024, the protocol suffered a significant exploit caused by an oracle misconfiguration that allowed a flash loan attacker to drain approximately 457.7 ETH (~$1.35M) from three lending markets; most funds were rescued by white hat MEV operator c0ffeebabe.eth but ~91 ETH (~$265,000) was permanently lost to validator payments. Despite completing multiple Sherlock and Hacken audits and raising $2.5M in a June 2024 Series A, the protocol's security track record and history of audit findings raise material concerns for prospective users.

Connected Entities

2 entities

Organizations

□BlueBerry

Protocols

⌂BlueBerry Protocol

Relationships

+ 3 more

Have evidence about BlueBerry Protocol?

Timeline(13 events)

2023-02-01

Sherlock audit contest #1 (2023-02-blueberry) identifies high-severity issues including ineffective deadline checks and oracle staleness vulnerabilities.

2023-04-01

Sherlock audit contest #2 (2023-04-blueberry) identifies sandwich attack risks in IchiVaultSpell and ConvexSpell withdrawals.

2023-05-01

Sherlock audit contest #3 (2023-05-blueberry) conducted.

2023-07-01

Sherlock audit contest #4 (2023-07-blueberry) conducted.

2024-01-29

BLB token lockdrop campaign begins on Ethereum mainnet, offering 5% of total BLB supply to early lenders over a 56-day period.

2024-02-22

At 08:36 UTC, borrowing functionality in the new money market is activated prematurely — before the intended Monday launch of borrowing strategies. The money market is using CoreOracle, an incorrect oracle that prices assets with fewer than 18 decimals severely below market value.

2024-02-23

At 02:22 UTC, an attacker executes a flash loan attack using 1 WETH from Balancer, exploiting the oracle misconfiguration to drain 8,616 OHM, 913,263 USDC, and 6.87 WBTC across three lending markets, totaling 457.684 ETH (~$1.35M). c0ffeebabe.eth front-runs the attacker and routes 366.6 ETH to the Blueberry multisig. ~91 ETH is permanently lost to validator payments.

2024-02-23

Blueberry Protocol Foundation announces exploit on X (formerly Twitter), pauses all lending operations, and advises users to withdraw from lending markets.

2024-02-24

Blueberry Foundation publishes initial recovery statement committing to 100% repayment of affected lenders. Community TGE allocation increased from 5% to 10% of total supply as additional compensation for affected users.

2024-02-25

Post-mortem published confirming oracle misconfiguration as root cause. Composable Corp pays 10% bounty on recovered funds to c0ffeebabe.eth and collaborators.

2024-03-01

Post-exploit audits commissioned from Spearbit, 0x52, and Cuthalion0x. Results find no additional high-severity vulnerabilities threatening user funds beyond the oracle fix.

2024-06-04

Blueberry Protocol raises $2.5M Series A funding led by White Star Capital, with participation from Varys Capital, SNZ Capital, Alchemix DAO, and others.

2024-06-05

BLB token IDO opens, running through June 10, 2024, raising approximately $190,000 at $0.0194 per BLB.

Provenance & Audit Trail

Anchored on Solana Verify on-chain src:defillama

Decision Log

#1publish⛓ anchored · slot 4225542585/27/2026, 6:12:36 PM
hash: BUjW39rQBv4RkQSb14TGeDFu9J678ZVVz4FZ3UeD4eW7

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-6

generated: 5/4/2026, 2:54:35 AM

last updated: 5/27/2026, 6:12:36 PM

avoid.net — verified advice for a post-truth world