Verify a decision

{"actor":"system:backfill","investigation_id":"6e06c76c-9637-4555-a3e5-8c1d3c736ea5","kind":"publish","page_slug":"blend-pools-v2","published_at":"2026-05-19T21:18:10.630Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Blend Pools V2","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://medium.com/script3/introducing-blend-95aaf66bdf41"},{"credibility":3,"name":"","type":"other","url":"https://docs.blend.capital/users/general-faq"},{"credibility":3,"name":"","type":"other","url":"https://defillama.com/protocol/blend-pools-v2"},{"credibility":3,"name":"","type":"other","url":"https://thedefiant.io/news/defi/meet-blend-stellar-s-modular-liquidity-layer"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://docs.blend.capital/blend-whitepaper"},{"credibility":3,"name":"","type":"other","url":"https://docs.blend.capital/users/general-faq"},{"credibility":3,"name":"","type":"other","url":"https://docs.blend.capital/users/blnd-token"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.certora.com/reports/blend"},{"credibility":3,"name":"","type":"other","url":"https://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"},{"credibility":3,"name":"","type":"other","url":"https://crypto-economy.com/stellar-based-lending-protocol-hit-by-oracle-manipulation-attack/"},{"credibility":3,"name":"","type":"other","url":"https://www.bankless.com/read/news/lending-market-blend-suffers-10m-exploit"},{"credibility":3,"name":"","type":"other","url":"https://www.quillaudits.com/blog/hack-analysis/yeildblox-10m-hack-explained"},{"credibility":3,"name":"","type":"other","url":"https://github.com/blend-capital/blend-contracts-v2"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.linkedin.com/in/markuspaulsonluna/"},{"credibility":3,"name":"","type":"other","url":"https://thedefiant.io/news/defi/meet-blend-stellar-s-modular-liquidity-layer"},{"credibility":3,"name":"","type":"other","url":"https://communityfund.stellar.org/project/blend-mfy"},{"credibility":3,"name":"","type":"other","url":"https://testnet.blend.capital/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://docs.blend.capital/users/general-faq"},{"credibility":3,"name":"","type":"other","url":"https://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"},{"credibility":3,"name":"","type":"other","url":"https://medium.com/@cryip/10-8m-oracle-manipulation-exploit-on-stellars-blend-protocol-6bdcbb1568c0"}]}],"sources_used":[],"summary":"Blend Pools V2 is a modular, permissionless lending protocol built on the Stellar blockchain by Script3, launched as an upgrade to Blend V1 with additions including flash loans and a reduced backstop threshold. In February 2026, a community-managed pool built on top of the protocol (YieldBlox DAO Pool) suffered a $10.8 million oracle manipulation exploit; Script3 stated the core V2 contracts were not at fault, attributing the incident to pool-operator misconfiguration of the Reflector VWAP oracle.","timeline":[{"date":"2023-04-03","event":"Script3 publicly introduces Blend as a liquidity protocol primitive for Stellar's Soroban smart contract platform, announcing it as pre-testnet.","source":""},{"date":"2024-01-25","event":"Certora publishes formal audit of the Blend protocol covering the emitter, liquidity pool instances, and backstop module.","source":""},{"date":"2024-04-09","event":"Co-founder Markus Paulson-Luna discusses Blend's architecture and Stellar DeFi positioning in a public interview with The Defiant.","source":""},{"date":"2026-02-23","event":"Attacker manipulates USTRY/USDC price 100x on SDEX via thin liquidity, exploiting the YieldBlox DAO Pool on Blend V2 and borrowing 61.25M XLM and 1M USDC — approximately $10.8M total.","source":""},{"date":"2026-02-23","event":"Stellar Tier 1 validators coordinate to freeze approximately 48 million XLM (roughly $7.2M) in attacker accounts before bridging to Ethereum is complete.","source":""},{"date":"2026-02-24","event":"Script3 issues public statement attributing the exploit to pool-operator misconfiguration, stating core Blend V2 contracts are unaffected.","source":""},{"date":"2026-02-24","event":"YieldBlox Security Council offers a 10% white-hat bounty with a 72-hour deadline in exchange for return of funds. Attacker does not respond.","source":""},{"date":"2026-02-25","event":"BlockSec and Halborn publish independent post-mortems confirming oracle misconfiguration as root cause; net user loss estimated at approximately $3.6M after frozen XLM is accounted for.","source":""}]},"v":1}