YieldBlox Stellar Oracle Manipulation Exploit (Feb 2026)
Summary
On February 22, 2026, the YieldBlox DAO-managed lending pool on Stellar's Blend V2 protocol was drained of approximately $10.97 million via a thin-liquidity oracle manipulation attack targeting the USTRY/USDC pair on the Stellar DEX. An attacker inflated the Reflector VWAP oracle price of USTRY from approximately $1.05 to $107 with a single low-volume trade costing roughly $5, then used overvalued USTRY collateral to borrow the pool's entire XLM and USDC reserves. Stellar Tier-1 validators froze approximately 48 million XLM (~$7.5 million) before the funds could be fully bridged out; the protocol developer Script3 committed to full depositor compensation and the attacker rejected a 10% white-hat bounty offer.
Connected Entities
1 entities · 10 linked investigationsTimeline(9 events)
2025-02-24
Blend V2 Code4rena competitive audit with Certora Formal Verification launched, with a $125,000 USDC prize pool. Reported as the first Rust/Soroban formal verification contest in DeFi.
Code4rena audit listing2026-02-14
Attacker's primary Stellar reconnaissance wallet created, seeded with 56.32 XLM, eight days before the exploit.
Rekt News on-chain forensics2026-02-21
At 23:35 UTC, attacker creates SDEX manipulation burner account (GCNF5GNRIT6VWYZ7LXUZ33Q3SR2NUGO32F5X65VVKAEWWIQCKGYN75HB) with 15 XLM. At 23:38 UTC, attacker places inflated sell offer for USTRY at 107 USDC per USTRY, approximately 100-fold fair value.
Rekt News on-chain forensics2026-02-22
At 00:10:21 UTC, second attacker-controlled account executes price-setting trade of 0.05 USTRY at approximately $106.7, dominating the Reflector VWAP pricing window. At 00:24-00:25 UTC, attacker deposits USTRY collateral and borrows 1,000,196.70 USDC and 61,249,278.31 XLM, draining the entire pool of approximately $10.97 million.
Rekt News; Halborn; BlockSec; QuillAudits2026-02-22
Stellar Tier-1 validators coordinate to freeze approximately 48 million XLM (approximately $7.2-7.5 million) in attacker Stellar accounts before bridging can complete.
Protos; Rekt News2026-02-22
Script3 issues public statement on X confirming exploit is isolated to a single pool, that no other Blend pools are affected, and commits to full depositor compensation for USDC, XLM, and EURC losses.
Script3 on X2026-02-22
YieldBlox Security Council sends on-chain bounty message offering 10% white-hat incentive with 72-hour deadline in exchange for return of frozen funds and cessation of legal pursuit.
Rekt News2026-02-23
Attacker consolidates approximately 380 ETH and bridges funds cross-chain between 09:17 and 09:26 UTC. Attacker does not respond to bounty offer before 72-hour deadline.
Rekt News on-chain forensics2026-02-27
Attacker moves 100 ETH to Tornado Cash (tx 0xdc082828a2358ccb33b3837b49bfe678c31259aad59c39c76916a53f8c73853b), signaling intent to launder rather than return funds.
Rekt News on-chain forensicsDecision Log
- hash: BTHCCcmSUVsmSvevDLnnrAFjd7CXPpoqFuACYgpbmh4q
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 6/7/2026, 11:29:42 PM
last updated: 6/8/2026, 1:35:04 AM
avoid.net — verified advice for a post-truth world