Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 262Oracle Manipulation

YieldBlox Stellar Single-Trade Oracle

YieldBlox's Stellar lending pool lost $10.2M after a single USTRY-for-USDC sell at 501x market rate defined the Reflector oracle price in a quiet 15-min window.

Date
Victim
YieldBlox
Chain(s)
Stellar
Status
Partially Recovered

On February 4, 2026, YieldBlox's DAO-managed lending pool — built with Blend on the Stellar blockchain — lost approximately $10.2 million through a textbook single-trade oracle manipulation. The attacker placed a single sell offer for USTRY at 501 USDC per USTRY during a 15-minute window when no other USTRY trading had occurred, defining the Reflector oracle's price for the entire window. $7.2 million was subsequently frozen by Stellar Tier-1 validators.

What happened

YieldBlox's lending pool accepted USTRY (a US Treasury yield token) as collateral, with prices supplied by the Reflector oracle — Stellar's native oracle infrastructure. Reflector pricing for the USTRY/USDC pair was based on on-chain trades within rolling time windows.

The fatal combination:

  1. USTRY/USDC had extremely low liquidity on Stellar — the market saw only sporadic trades.
  2. No trades occurred in the 15 minutes preceding the attack — meaning the next trade would define the oracle's reported price for the entire window.
  3. Reflector's price-derivation logic did not require minimum volume or multiple trades to validate a window's price; a single trade was sufficient.

The attack:

  1. The attacker placed a sell offer for USTRY priced at 501 USDC per USTRY — vastly above the real market price (USTRY trades close to the underlying Treasury yield, typically near $1 per token).
  2. Someone (the attacker themselves, or someone responding to the visible quote) executed even a tiny trade at the offered price — establishing the price for the Reflector oracle's window.
  3. With the oracle now reporting USTRY at 501 USDC per token, the attacker deposited a small amount of USTRY as collateral and borrowed everything available from YieldBlox's pool against the inflated valuation.
  4. Walked away without repaying, leaving YieldBlox with worthless inflated-value USTRY as the only backing for the stolen loans.

Total extraction: approximately $10.2 million in USDC, XLM and other pool assets.

Aftermath

  • Stellar Tier-1 validators froze approximately $7.2 million of the stolen assets within the attacker's wallets — using Stellar's account-freezing capability that the network's small, coordinated validator set can exercise.
  • YieldBlox paused the affected pool and offered the attacker a 10% bounty with a 72-hour deadline. The attacker did not respond.
  • The protocol coordinated with the Stellar Development Foundation on the validator-freeze response.
  • The frozen ~$7.2M provided a basis for partial user reimbursement; the remaining ~$3M was unrecovered.

Why it matters

YieldBlox is one of the cleanest cases for how oracle aggregation must require minimum volume and source-count guarantees for any asset used as collateral. The attack required only a small amount of attacker capital to construct the manipulation — the cost was the difference between the inflated quote and the eventual settlement, which the attacker could often capture themselves.

The defensive patterns that would have prevented YieldBlox's loss:

  1. Minimum liquidity thresholds before an asset is accepted as collateral — markets with too-thin trading don't qualify.
  2. Volume requirements per oracle window — a single trade at any price should not be sufficient to set the canonical price.
  3. Multi-source aggregation — even if the lending protocol's primary oracle is local, a sanity-check against an external feed (e.g. Chainlink for the same pair on another chain) catches obvious manipulation.
  4. Circuit breakers — automatic pause if reported prices move outside expected ranges per unit of time.

The Stellar validator freeze of $7.2M is a notable demonstration of what's possible when chains have small, coordinated validator sets willing to take freezing action. The same capability — exercised at Sui (Cetus) and Terra (Astroport) — is valuable for incident response but is structurally incompatible with the "credible neutrality" claims that decentralisation maximalists make for major chains. The trade-off is real and chain-specific; Stellar's validator set is small enough to coordinate, and that's what made the recovery possible.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-yieldblox-hack-february-2026
  2. [02]protos.comhttps://protos.com/yieldblox-lending-pool-hit-by-10m-hack-on-stellar/
  3. [03]blocksec.comhttps://blocksec.com/blog/yieldblox-dao-incident-on-stellar-oracle-misconfiguration-enabled-a-10m-drain

Related filings