BTC $66 800,10 2.25%
ETH $1 992,23 3.65%
USDT $1,00 0.01%
XRP $1,40 3.9%
BNB $620,46 1.18%
USDC $1,0000 0.01%
SOL $85,44 2.79%
TRX $0,2848 0.54%
DOGE $0,0967 2.81%
ADA $0,2877 2.06%
BCH $480,24 3.62%
LEO $8,78 0.06%
HYPE $29,35 +0.35%
XMR $351,23 +1.1%
CC $0,1706 2.43%
LINK $9,01 2.9%
USDe $0,9995 +0.02%
DAI $1,0000 +0.01%
XLM $0,1626 1.34%
USD1 $0,9999 +0.05%
Home News

Stellar YieldBlox Pool Drained After Oracle Misconfig

admin admin
Feb 27, 2026, 10:25 AM
Stellar YieldBlox Pool Drained

A lending pool operated by YieldBlox DAO on Stellar’s Blend V2 was exploited on February 22, 2026, with losses estimated at $10 million+, according to a BlockSec incident write-up. The attacker manipulated a thin on-chain market, fed the distorted price into the pool’s oracle configuration, and drained assets.

BlockSec stresses this was not a Blend V2 core-contract bug. It was a pool-operator configuration failure: the pool relied on a manipulable price source for collateral valuation.

 

A shallow market price spike fooled the pool’s oracle path

BlockSec says the attacker targeted the USTRY/USDC market on SDEX, which was “very shallow.” By clearing normal orders and placing abnormal orders, the attacker pushed the apparent USTRY price from about $1.06 to about $107.

The pool’s configured Reflector oracle path then accepted the manipulated market price and updated the feed. With USTRY suddenly “worth” far more than reality, the pool’s risk logic treated USTRY collateral as massively overvalued—creating artificial borrow power.

How the drain happened, step by step

BlockSec outlines a straightforward chain of events:

  • Price manipulation: USTRY/USDC was pushed sharply higher on SDEX.
  • Oracle update: Reflector pulled the manipulated SDEX price and updated its feed.
  • Borrow against inflated collateral: The attacker used overvalued USTRY to borrow from the pool, draining USDC and XLM.

In the transaction sequence described, BlockSec says the attacker borrowed roughly $1M USDC and about 61.2M XLM (listed as ~$9.85M in the report), using USTRY collateral.

Funds were bridged out to multiple chains

After draining the pool, BlockSec says the attacker bridged assets to Base, BSC, and Ethereum, indicating an effort to disperse funds across ecosystems and liquidity venues.

BlockSec’s estimate for total losses remains about $10M+ on Stellar.

BlockSec’s conclusion: not a protocol flaw, but a price dependency failure.

BlockSec’s closing assessment is blunt: the incident happened because the pool’s collateral valuation depended on a manipulable market. The lesson, it says, is that isolated lending pools must choose and monitor price dependencies with strong manipulation resistance, especially when the underlying market is thin. It’s also consistent with BlockSec’s broader view of 2025’s threat landscape: scams, hacks, and sanctions-linked flows are becoming more concentrated into identifiable corridors — which makes misconfig-driven drains like this one a repeatable playbook, not a one-off anomaly.

Why it matters for crypto

  • Oracle design is still a top DeFi risk: thin liquidity + naïve price sourcing can turn collateral into a money printer.
  • “Isolated pools” reduce contagion, but they also push critical security decisions onto pool operators.
  • Stablecoin-like collateral (here, USTRY) can become dangerous if its reference market is shallow and easy to move.
  • Cross-chain bridges remain the default exit route after exploits, complicating recovery and enforcement.

What to watch next

  • Whether YieldBlox DAO changes oracle configuration (deeper price sources, TWAPs, circuit breakers, stricter collateral caps).
  • Any public steps to pause the pool, unwind bad debt, or compensate affected users.
  • Follow-on tracing showing where bridged funds land on Base/BSC/Ethereum and whether any assets get frozen.
  • Whether other Stellar Blend V2 pool operators audit their oracle paths for similar shallow-market dependencies.

What we don’t know yet

  • Whether any funds were recovered or frozen after the bridging activity.
  • The report does not identify the attacker or provide attribution beyond on-chain addresses.

Source: BlockSec – YieldBlox DAO Incident on Stellar: Oracle Misconfiguration Enabled a $10M+ Drain