Verify a decision

{"actor":"system:backfill","investigation_id":"c780cc5c-8e20-48dc-b8e2-438bd56cd9d3","kind":"publish","page_slug":"yieldblox-stellar-oracle-manipulation-exploit-feb-2026","published_at":"2026-06-07T23:30:06.503Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"YieldBlox Stellar Oracle Manipulation Exploit (Feb 2026)","sections":[{"content":"On February 22, 2026 at approximately 00:24–00:25 UTC, the YieldBlox DAO Pool — a community-managed lending pool deployed on Blend V2 on the Stellar blockchain — was drained via an oracle price manipulation attack. Total losses are estimated between $10.2 million and $10.97 million depending on the XLM price at time of extraction. The incident was confined to a single pool and a single collateral asset (USTRY). Script3, the development team behind both YieldBlox and Blend, confirmed no other Blend pools were affected and no other pools shared the same vulnerability conditions. The root cause was assessed by multiple security firms as a pool-operator configuration error — specifically, the selection of a manipulable price source (Reflector VWAP from the Stellar DEX) without adequate liquidity safeguards — rather than a flaw in Blend V2's core smart contract architecture.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":2,"name":"Explained: The YieldBlox Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"},{"credibility":2,"name":"YieldBlox DAO Incident on Stellar: Oracle Misconfiguration Enabled a $10M+ Drain — BlockSec","type":"research","url":"https://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain"},{"credibility":2,"name":"Yieldblox — Rekt News","type":"news_article","url":"https://rekt.news/yieldblox-rekt"},{"credibility":2,"name":"Script3 official statement on X","type":"official","url":"https://x.com/script3official/status/2025403423840141450"}]},{"content":"The attack exploited the Reflector oracle's reliance on volume-weighted average price (VWAP) data sourced from the USTRY/USDC market on Stellar's Decentralized Exchange (SDEX). USTRY is a yield-bearing stablebond issued by Etherfuse. The USTRY/USDC market had less than $1 in hourly trading volume and no meaningful market depth at the time of the attack. Critically, the pool's only market maker had withdrawn all liquidity in the period preceding the exploit, leaving zero trades in the 15-minute window before the attack.\n\nThe attacker proceeded in three phases. First, on February 21, 2026 at 23:38 UTC, a burner account (Stellar address GCNF5GNRIT6VWYZ7LXUZ33Q3SR2NUGO32F5X65VVKAEWWIQCKGYN75HB) placed a sell offer for 1.2185 USTRY at 107 USDC per USTRY — approximately 100x the real market price of ~$1.05. Second, at 00:10:21 UTC on February 22, a second attacker-controlled account (GDHRCQNC64UVL27EXSC6OG6I2FCT4NWM72KNHLHKEB3LK4MEEYYWETN3) executed a small trade of 0.05 USTRY against this offer at a realized price of approximately $106.7. Because this was the only trade in the Reflector oracle's pricing window, the oracle updated its reported USTRY price to reflect the fabricated value at the 00:15 and 00:20 UTC intervals. Third, at 00:24–00:25 UTC, the attacker's primary account (GBOVUL2TOKPWFAWKATIW7K3QYA7WQ63VDY5CAE6AFUUX6BHZBOC2WXC) deposited 13,003 USTRY as collateral and borrowed 1,000,196.70 USDC (transaction hash ae721cacee382bdecac8d2c47286ecd42cb4711f658bb2aec7cba60dc64a31ff). The attacker then deposited an additional 140,000 USTRY and borrowed 61,249,278.31 XLM (transaction hash 3e81a3f7b6e17cc22d0a1f33e9dcf90e5664b125b9e61f108b8d2f082f2d4657), representing the entire pool's XLM reserves. Total collateral deposited was approximately 153,000 USTRY, with a fair-value cost of roughly $160,000, against which the attacker extracted approximately $10.97 million.","heading":"Technical Attack Mechanics","severity":"critical","sources":[{"credibility":2,"name":"Yieldblox — Rekt News (full on-chain forensics)","type":"research","url":"https://rekt.news/yieldblox-rekt"},{"credibility":2,"name":"YeildBlox $10M Hack (Oracle Manipulation — Explained) — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/yeildblox-10m-hack-explained"},{"credibility":2,"name":"Explained: The YieldBlox Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"},{"credibility":3,"name":"$10.8M Oracle Manipulation Exploit on Stellar's Blend Protocol — Cryip/Medium","type":"research","url":"https://medium.com/@cryip/10-8m-oracle-manipulation-exploit-on-stellars-blend-protocol-6bdcbb1568c0"}]},{"content":"Following the exploit, the attacker moved stolen funds across multiple blockchains to obscure the trail. Stolen assets were bridged from Stellar to Base via Allbridge, then routed from Base to Ethereum via the Across and Relay bridge protocols. Final destinations included Ethereum mainnet, Base, and BNB Chain.\n\nOn February 23, 2026 between 09:17 and 09:26 UTC, the attacker consolidated and moved approximately 380 ETH via bridge transactions. On February 27, one of the exploiter EVM wallets moved 100 ETH to Tornado Cash (transaction hash 0xdc082828a2358ccb33b3837b49bfe678c31259aad59c39c76916a53f8c73853b). The attacker used at least three EVM addresses: Exploiter 1 (0xE69f6d77DB6Ff493FDD15D8A0B390c36E18E5b21, holding 363.98 ETH and 12.78 ETH on Base), Exploiter 2 (0x2D1CE29b4aF15fb6E76Ba9995BbE1421E8546482, holding 357.28 ETH, 19.23 ETH, and 38,746 USDC), and a child wallet (0x0b2B16E1a9E2e9b15027AE46Fa5eC547f5ef3eC6, holding 300 ETH). A gas supplier address (0xd7e42d9502fbd66d90750e544e05c2b3ca7cbd22) was flagged as associated with phishing activity.\n\nNotably, one of the attacker's primary wallets was funded via a Binance exchange hot wallet, creating an alleged KYC trail. Approximately 3.77 million XLM was sent to Binance (KYC exchange) and 3.97 million XLM to ChangeNow (non-KYC). As of late February 2026, millions of dollars in stolen funds reportedly remained in EVM wallets linked to the Binance deposit trail.","heading":"Fund Movement and Laundering Activity","severity":"critical","sources":[{"credibility":2,"name":"Yieldblox — Rekt News (on-chain fund tracing)","type":"on_chain","url":"https://rekt.news/yieldblox-rekt"},{"credibility":2,"name":"YieldBlox lending pool hit by $10M hack on Stellar — Protos","type":"news_article","url":"https://protos.com/yieldblox-lending-pool-hit-by-10m-hack-on-stellar/"},{"credibility":3,"name":"blnd-huntr: Forensic investigation dashboard for the February 2026 Blend Protocol exploit — GitHub","type":"on_chain","url":"https://github.com/saariuslystoned/blnd-huntr"}]},{"content":"In an unusual and notable intervention, Stellar's Tier-1 validators coordinated to freeze approximately 48 million XLM — representing roughly 78% of the stolen XLM and approximately $7.2–$7.5 million at the time of the freeze — across the attacker's Stellar accounts before the funds could be fully bridged off-chain. This represents one of the more effective on-chain recovery actions for a DeFi exploit in the Stellar ecosystem.\n\nFollowing the freeze, the YieldBlox Security Council sent an on-chain bounty message to the attacker (EVM message hash 0x7979c9faa2eba7afa29702382205930f77a461174d4eeeb3382e22bb7177171e) offering a 10% white-hat bounty with a 72-hour deadline in exchange for the return of the frozen 48 million XLM and any other remaining funds. The attacker did not accept the offer and continued moving funds after the deadline elapsed, including the February 27 Tornado Cash deposits.","heading":"Validator Response and Fund Recovery","severity":"high","sources":[{"credibility":2,"name":"Yieldblox — Rekt News","type":"news_article","url":"https://rekt.news/yieldblox-rekt"},{"credibility":2,"name":"Lending Market 'Blend' Suffers $10M+ Exploit — Bankless","type":"news_article","url":"https://www.bankless.com/read/news/lending-market-blend-suffers-10m-exploit"},{"credibility":2,"name":"YieldBlox lending pool hit by $10M hack on Stellar — Protos","type":"news_article","url":"https://protos.com/yieldblox-lending-pool-hit-by-10m-hack-on-stellar/"}]},{"content":"Script3, the development team behind both YieldBlox and Blend V2, issued a public statement confirming the exploit was isolated to a single community-managed pool and that no other Blend pools were affected or vulnerable. Script3 committed to fully compensating all depositors in the affected pool for losses in USDC, XLM, and EURC.\n\nReflector, the oracle provider, stated that its infrastructure was not compromised and that it had reported accurate market prices given the available market data. Reflector attributed the incident to extreme market illiquidity rather than any failure of its oracle system itself, and confirmed that other assets with meaningful liquidity and multiple active traders were not at risk of similar manipulation.\n\nEtherfuse, the issuer of the USTRY stablebond used as the manipulated collateral asset, was identified as a named party in post-mortems but no specific remediation action from Etherfuse was cited in available sources.","heading":"Protocol Response and Depositor Compensation","severity":"medium","sources":[{"credibility":2,"name":"Script3 official statement on X","type":"official","url":"https://x.com/script3official/status/2025403423840141450"},{"credibility":2,"name":"YieldBlox DAO Incident on Stellar — BlockSec","type":"research","url":"https://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain"},{"credibility":2,"name":"Explained: The YieldBlox Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"}]},{"content":"Blend V2 underwent a $125,000 Code4rena competitive audit with a Certora Formal Verification component running from February 24 to March 17, 2025 — approximately one year before the exploit. This was reported to be the first Rust/Soroban formal verification contest in DeFi history. The Certora formal verification focused on the Backstop contract's solvency and key invariants in the core lending logic.\n\nThe exploit did not bypass any of the formally verified properties. The health-factor check that allowed the attacker to borrow worked exactly as designed and verified — it correctly evaluated collateral value against liabilities using the oracle-reported price. The vulnerability lay in the oracle price itself being manipulable, a risk surface outside the scope of the formal verification. Security researchers noted this as a demonstration that formal verification of smart contract logic does not preclude oracle manipulation attacks from external data sources.","heading":"Prior Security Audits","severity":"medium","sources":[{"credibility":2,"name":"Blend V2 Audit + Certora Formal Verification — Code4rena","type":"research","url":"https://code4rena.com/audits/2025-02-blend-v2-audit-certora-formal-verification"},{"credibility":2,"name":"Yieldblox — Rekt News","type":"news_article","url":"https://rekt.news/yieldblox-rekt"}]},{"content":"Multiple independent security firms — including Halborn, BlockSec, and QuillAudits — converged on a consistent root cause classification: this was a thin-liquidity oracle manipulation attack enabled by a pool-operator configuration decision rather than a flaw in Blend V2's core protocol. The specific contributing factors were: (1) selection of the Reflector VWAP oracle sourced from a single illiquid SDEX market for a collateral asset with minimal real trading volume; (2) absence of minimum liquidity thresholds or volume requirements as oracle validity gates; (3) absence of circuit breakers for anomalous price movements; (4) absence of multi-source price aggregation for the USTRY asset; and (5) the withdrawal of the pool's only market maker in the period immediately preceding the attack, which may or may not have been a deliberate precondition staged by the attacker.\n\nThe attack pattern — exploiting VWAP oracle manipulation in a thin-liquidity market — is a well-documented class of DeFi exploit. Similar mechanics were used in the Mango Markets exploit (October 2022) and numerous earlier incidents on other chains. The YieldBlox incident is notable for its deployment on Stellar's Soroban smart contract environment, which had not previously seen a major exploit of this scale.","heading":"Root Cause Assessment and Classification","severity":"high","sources":[{"credibility":2,"name":"YieldBlox DAO Incident on Stellar — BlockSec","type":"research","url":"https://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain"},{"credibility":2,"name":"Explained: The YieldBlox Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"},{"credibility":2,"name":"YeildBlox $10M Hack (Oracle Manipulation — Explained) — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/yeildblox-10m-hack-explained"},{"credibility":3,"name":"YieldBlox $10M Exploit: How a Single Trade Broke an Oracle — Coinmonks/Medium","type":"research","url":"https://medium.com/coinmonks/yieldblox-10m-exploit-d00f9ff88d27"}]}],"sources_used":[{"credibility":2,"name":"Explained: The YieldBlox Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026"},{"credibility":2,"name":"YieldBlox DAO Incident on Stellar: Oracle Misconfiguration Enabled a $10M+ Drain — BlockSec","type":"research","url":"https://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain"},{"credibility":2,"name":"Yieldblox — Rekt News","type":"news_article","url":"https://rekt.news/yieldblox-rekt"},{"credibility":2,"name":"YieldBlox lending pool hit by $10M hack on Stellar — Protos","type":"news_article","url":"https://protos.com/yieldblox-lending-pool-hit-by-10m-hack-on-stellar/"},{"credibility":2,"name":"Lending Market 'Blend' Suffers $10M+ Exploit — Bankless","type":"news_article","url":"https://www.bankless.com/read/news/lending-market-blend-suffers-10m-exploit"},{"credibility":2,"name":"YeildBlox $10M Hack (Oracle Manipulation — Explained) — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/yeildblox-10m-hack-explained"},{"credibility":2,"name":"Script3 official statement on X","type":"official","url":"https://x.com/script3official/status/2025403423840141450"},{"credibility":2,"name":"Blend V2 Audit + Certora Formal Verification — Code4rena","type":"research","url":"https://code4rena.com/audits/2025-02-blend-v2-audit-certora-formal-verification"},{"credibility":3,"name":"$10.8M Oracle Manipulation Exploit on Stellar's Blend Protocol — Cryip/Medium","type":"news_article","url":"https://medium.com/@cryip/10-8m-oracle-manipulation-exploit-on-stellars-blend-protocol-6bdcbb1568c0"},{"credibility":3,"name":"YieldBlox $10M Exploit: How a Single Trade Broke an Oracle — Coinmonks/Medium","type":"research","url":"https://medium.com/coinmonks/yieldblox-10m-exploit-d00f9ff88d27"},{"credibility":3,"name":"blnd-huntr: Forensic investigation dashboard for the February 2026 Blend Protocol exploit — GitHub","type":"on_chain","url":"https://github.com/saariuslystoned/blnd-huntr"},{"credibility":3,"name":"Stellar-Based Lending Protocol Hit by Oracle Manipulation Attack — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/stellar-based-lending-protocol-hit-by-oracle-manipulation-attack/"}],"summary":"On February 22, 2026, the YieldBlox DAO-managed lending pool on Stellar's Blend V2 protocol was drained of approximately $10.2–$10.97 million via a thin-liquidity oracle manipulation attack targeting the USTRY/USDC pair on the Stellar DEX. An attacker used two coordinated accounts to inflate the Reflector VWAP oracle price of USTRY from approximately $1.05 to $107 with a single low-volume trade, then deposited overvalued USTRY as collateral to borrow the entirety of the pool's XLM and USDC reserves. Stellar Tier-1 validators froze approximately 48 million XLM (~$7.5M) before it could be fully bridged out; the protocol's developer, Script3, committed to full depositor compensation.","timeline":[{"date":"2025-02-24","event":"Blend V2 Code4rena competitive audit with Certora Formal Verification launched, with $125,000 USDC prize pool. First Rust/Soroban formal verification contest in DeFi.","source":"Code4rena audit listing","source_url":"https://code4rena.com/audits/2025-02-blend-v2-audit-certora-formal-verification"},{"date":"2026-02-14","event":"Attacker's primary Stellar reconnaissance wallet created, seeded with 56.32 XLM.","source":"Rekt News on-chain forensics","source_url":"https://rekt.news/yieldblox-rekt"},{"date":"2026-02-21","event":"At 23:35 UTC, attacker creates a SDEX manipulation burner account (GCNF5GNRIT6VWYZ7LXUZ33Q3SR2NUGO32F5X65VVKAEWWIQCKGYN75HB) with 15 XLM. At 23:38 UTC, attacker places inflated sell offer of 1.2185 USTRY at 107 USDC per USTRY — approximately 100x fair value.","source":"Rekt News on-chain forensics","source_url":"https://rekt.news/yieldblox-rekt"},{"date":"2026-02-22","event":"At 00:10:21 UTC, second attacker-controlled account executes price-setting trade of 0.05 USTRY at ~$106.7, setting the Reflector oracle price. At 00:24–00:25 UTC, attacker borrows 1,000,196 USDC and 61,249,278 XLM against overvalued USTRY collateral, draining the entire pool.","source":"Rekt News; Halborn; BlockSec","source_url":"https://rekt.news/yieldblox-rekt"},{"date":"2026-02-22","event":"Stellar Tier-1 validators coordinate to freeze approximately 48 million XLM (~$7.2–7.5M) in attacker's Stellar accounts before bridging can complete.","source":"Protos; Bankless; Rekt News","source_url":"https://protos.com/yieldblox-lending-pool-hit-by-10m-hack-on-stellar/"},{"date":"2026-02-22","event":"Script3 issues public statement confirming exploit is isolated to a single pool, that no other Blend pools are affected, and committing to full depositor compensation for USDC, XLM, and EURC losses.","source":"Script3 on X","source_url":"https://x.com/script3official/status/2025403423840141450"},{"date":"2026-02-22","event":"YieldBlox Security Council sends on-chain bounty message offering 10% white-hat incentive with 72-hour deadline for return of frozen funds.","source":"Rekt News","source_url":"https://rekt.news/yieldblox-rekt"},{"date":"2026-02-23","event":"Attacker consolidates and bridges approximately 380 ETH via cross-chain bridge protocols between 09:17–09:26 UTC. Attacker ignores 72-hour bounty deadline.","source":"Rekt News on-chain forensics","source_url":"https://rekt.news/yieldblox-rekt"},{"date":"2026-02-27","event":"Attacker moves 100 ETH to Tornado Cash (tx hash 0xdc082828a2358ccb33b3837b49bfe678c31259aad59c39c76916a53f8c73853b), signaling intent to launder rather than return funds.","source":"Rekt News on-chain forensics","source_url":"https://rekt.news/yieldblox-rekt"}]},"v":1}