On February 22, 2026, the community-managed YieldBlox Blend pool on Stellar suffered a $10M+ exploit\u200a\u2014\u200anot because of a smart contract bug, but due to a classic thin-liquidity oracle manipulation.<\/p>\n
The attacker targeted the illiquid USTRY\/USDC market on the Stellar DEX (SDEX), where trading volume was nearly nonexistent. With market depth close to zero, a single abnormal trade was enough to inflate USTRY\u2019s price from roughly $1 to $106\u200a\u2014\u200aa 100\u00d7 increase.<\/p>\n
Here\u2019s where it gets critical.<\/p>\n
YieldBlox relied on Reflector, a VWAP-based oracle sourcing prices directly from the Stellar DEX. Because no additional trades occurred within the VWAP window, the manipulated trade dominated the average calculation. The oracle updated\u200a\u2014\u200aand reported the inflated price as legitimate.<\/p>\n
The protocol trusted this price without additional liquidity thresholds or sanity\u00a0checks.<\/p>\n
That trust cost over $10\u00a0million.<\/p>\n
Once the oracle reflected the manipulated valuation, the attacker:<\/p>\n
Supplied 13,003 USTRY as collateralBorrowed ~1,000,196 USDCSupplied an additional 140,000\u00a0USTRYBorrowed ~61 million\u00a0XLM<\/p>\n
Because the system believed USTRY was worth $106 instead of ~$1, the collateral was massively overvalued. This enabled excessive borrowing and ultimately left the pool with significant bad\u00a0debt.<\/p>\n
No smart contract was broken.
No reentrancy bug.
No logic\u00a0flaw.<\/p>\n
This was purely an economic\u00a0attack.<\/p>\n
The core issue wasn\u2019t Reflector\u2019s infrastructure. It functioned exactly as designed.<\/p>\n
The weakness lay in relying on a VWAP model tied to an extremely illiquid market\u00a0with:<\/p>\n
Less than $1 in hourly\u00a0volumeVirtually no order book\u00a0depthNo circuit\u00a0breakersNo liquidity validation<\/p>\n
In thin markets, a single trade can distort price reality. Without safeguards, that distorted price becomes protocol\u00a0truth.<\/p>\n
This exploit reinforces a critical\u00a0lesson:<\/p>\n
Mathematically sound oracle systems can still fail when underlying market conditions are economically unsound.<\/p>\n
Want the full breakdown\u200a\u2014\u200aincluding attack flow diagrams, transaction hashes and wallet\u00a0tracing?<\/strong>We\u2019ve published a detailed technical analysis here: Yeildblox Hack\u00a0Analysis<\/strong><\/a><\/p>\n After borrowing, the attacker swapped assets into USDC and bridged funds from Stellar to Base using Allbridge, then moved them to Ethereum via Across and Relay. At the time of reporting, a large portion of the funds remains traceable, with some assets frozen and others dispersed across addresses.<\/p>\n Reflector confirmed its infrastructure wasn\u2019t compromised. Script3 coordinated remediation efforts and announced that depositors in the affected pool would be fully compensated. Importantly, the incident was isolated to a single community-managed pool, with no impact on other Blend\u00a0pools.<\/p>\n This wasn\u2019t a coding failure. It was a market design\u00a0failure.<\/p>\n Thin liquidity + unchecked VWAP models + no circuit breakers = a $10M\u00a0exploit.<\/p>\n Oracle integrations must account not just for price calculation, but for liquidity quality, market depth and manipulation resistance.<\/p>\n YieldBlox $10M Exploit: How a Single Trade Broke an Oracle<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" On February 22, 2026, the community-managed YieldBlox Blend pool on Stellar suffered a $10M+ exploit\u200a\u2014\u200anot because of a smart contract bug, but due to a classic thin-liquidity oracle manipulation. The attacker targeted the illiquid USTRY\/USDC market on the Stellar DEX (SDEX), where trading volume was nearly nonexistent. With market depth close to zero, a single […]<\/p>\n","protected":false},"author":0,"featured_media":138276,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-138275","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/138275"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=138275"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/138275\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/138276"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=138275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=138275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=138275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Fund Movement<\/h3>\n
Post-Incident Response<\/h3>\n
The Bigger\u00a0Takeaway<\/h3>\n