YieldBlox $10.97M Exploit Analysis
What Happened
On February 22, 2026 at 00:25 UTC, an attacker drained $10.97 million from YieldBlox's community-managed pool on Blend V2. The exploit targeted USTRY (a yield-bearing US Treasury stablebond) as collateral and extracted 1,000,196 USDC and 61,249,278 XLM through oracle price manipulation.
Technical Root Cause
The attack exploited four cascading failures in the system architecture:
1. Illiquid Collateral Listing: USTRY was accepted as collateral despite trading on SDEX with "less than $1 in hourly volume" and "fewer than five tokens on the ask side."
2. VWAP Oracle Vulnerability: Reflector used volume-weighted average pricing that became unreliable in thin markets. A single trade dominated the calculation in the absence of competing activity.
3. Oracle Adapter Failure: The adapter between Reflector and Blend "didn't take a median" and "didn't flag the deviation," passing raw last price directly through without sanity checks.
4. Missing Anomaly Detection: Blend V2 "had no mechanism to distinguish between accurate prices and prices accurate only because nobody had traded."
Attack Vector & Exploit Steps
Preparation Phase (February 14-21):
• Created primary wallet on February 14 with 56.32 XLM seed
• Conducted small USTRY test purchases at legitimate prices (~$1.058)
• Created dedicated manipulation burner account on February 21 at 23:35 UTC
Execution Phase (February 22, 00:10-00:25 UTC):
1. Price Setting: Burner account placed sell offer for 1.2185 USTRY at 107 USDC (100x manipulation)
• Transaction:
09e1a9d1197c9bf0af4e87da328c4f2d5eb49b487630aa61991fb5c1c4637cdb2. Trade Trigger: Price-setting account bought 0.05 USTRY against inflated offer at 00:10:21 UTC
• Transaction:
60fe039e96e88402d175c8de68e80651874ab125880dd384a1636914ba95bef1• This 50-cent trade set oracle truth at $106.74
3. Oracle Poisoning: Two consecutive price windows (00:15 and 00:20 UTC) ingested manipulated price
4. First Collateral Deposit: ~153,000 USTRY deposited in two rounds
• Real value: ~$160,000
• Oracle valuation: ~$16 million
• Health factor: 1.35 (still approved despite real value being 1/100th)
5. Additional Deposit: 140,000 more USTRY deposited
• Total oracle valuation: ~$15.99 million
• Actual value: ~$158,500
• Health factor: 1.47
6. Extraction: Two borrow transactions at 00:24:27 UTC
• USDC borrow:
ae721cacee382bdecac8d2c47286ecd42cb4711f658bb2aec7cba60dc64a31ff• XLM borrow:
3e81a3f7b6e17cc22d0a1f33e9dcf90e5664b125b9e61f108b8d2f082f2d4657Financial Impact
Stolen Amounts:
• 1,000,196 USDC
• 61,249,278 XLM
• Total: $10.97 million
Fund Movement:
• Swapped into USDC and bridged via Allbridge from Stellar to Base
• Further moved via Across and Relay protocols to Ethereum, Base, and BNB Chain
Current Holdings (as of February 27):
• Exploiter 1: 363.98 ETH + 12.78 ETH on Base (~$729K)
• Exploiter 2: 357.28 ETH + 19.23 ETH on Base + 38,746 USDC (~$769K)
• Exploiter 3: 300 ETH (~$583K)
Frozen Assets:
• Tier 1 Validators froze ~48M XLM (~80% of stolen XLM) across attacker's Stellar accounts
Laundering Activity: On February 27, Exploiter 2 moved 100 ETH to
0xFC51b5cD07E73020bE902A5b00902f329b083eaB, which was sent to Tornado Cash via 0xdc082828a2358ccb33b3837b49bfe678c31259aad59c39c76916a53f8c73853b.Between February 23 09:17-09:26 UTC, "23 transactions moved ~380 ETH from Base back to Exploiter 2 on Ethereum mainnet," using Relay and Across protocols in uniform batches of 10-50 ETH each.
Attacker Infrastructure
Gas Funding Network: Multiple wallets funded via Etherscan-flagged phishing addresses, indicating organized operation:
• Primary supplier:
0xd7e42d9502fbd66d90750e544e05c2b3ca7cbd22 (appears three times)• Five additional flagged phishing addresses in funding network
Security Council Response: Coinbase-funded messenger wallet
0x456c2F5F3536b1D9238F4654D5242B0dF8f978AF delivered bounty negotiation message offering 90% recovery terms within 72 hours. The attacker provided no response and continued consolidating funds.Remediation & Response
Script3 Actions:
• Confirmed attack was isolated to single community-managed pool
• Verified no other Blend pools affected or vulnerable
• Announced "all depositors - USDC, XLM, and EURC - would be fully compensated for losses caused by the bad debt"
Reflector Confirmation:
• Infrastructure was not compromised
• Oracle accurately reported SDEX prices
• Root cause was "a market fully handled by a single market-maker with almost zero trading activity"
• Assets with "meaningful liquidity and multiple active traders are not at risk"
Recommended Mitigations (per QuillAudits):
• Implement liquidity thresholds for acceptable collateral
• Add market depth validation checks
• Deploy circuit breakers for suspicious price movements
• Add staleness flags for markets with extended trading gaps
• Require oracle consensus/median filtering instead of raw last price
Audit Context
Blend V2 underwent extensive security review:
• February 2025: $125,000 Code4rena competition with Certora formal verification (first Rust/Soroban DeFi contest)
• 21 security researchers participated, writing nearly 1,000 rules
• April 2025: $20,000 mitigation review
• Main invariant verified: "Users cannot extract funds from a pool if they do not meet or exceed minimum health factor"
The formal verification proved the health factor logic worked correctly. However, "the oracle, Reflector's integration, and the question of what happens when an accepted collateral asset has no functioning market, none of it was in scope."
Key Addresses
Attacker Wallets (Stellar):
• Primary:
GBO7VUL2TOKPWFAWKATIW7K3QYA7WQ63VDY5CAE6AFUUX6BHZBOC2WXC• SDEX Manipulation Burner:
GCNF5GNRIT6VWYZ7LXUZ33Q3SR2NUGO32F5X65VVKAEWWIQCKGYN75HB• Price-Setting Trade Trigger:
GDHRCQNC64UVL27EXSC6OG6I2FCT4NWM72KNHLHKEB3LK4MEEYYWETN3EVM Exploiter Wallets (Ethereum/Base):
• Exploiter 1:
0xE69f6d77DB6Ff493FDD15D8A0B390c36E18E5b21• Exploiter 2:
0x2D1CE29b4aF15fb6E76Ba9995BbE1421E8546482• Exploiter 3:
0x0b2B16E1a9E2e9b15027AE46Fa5eC547f5ef3eC6Tornado Cash Funnel:
0xdc082828a2358ccb33b3837b49bfe678c31259aad59c39c76916a53f8c73853b