YieldBlox $10M Exploit: How a Single Trade Broke an Oracle

On February 22, 2026, the community-managed YieldBlox Blend pool on Stellar suffered a $10M+ exploit — not because of a smart contract bug, but due to a classic thin-liquidity oracle manipulation.

The attacker targeted the illiquid USTRY/USDC market on the Stellar DEX (SDEX), where trading volume was nearly nonexistent. With market depth close to zero, a single abnormal trade was enough to inflate USTRY’s price from roughly $1 to $106 — a 100× increase.

Here’s where it gets critical.

YieldBlox relied on Reflector, a VWAP-based oracle sourcing prices directly from the Stellar DEX. Because no additional trades occurred within the VWAP window, the manipulated trade dominated the average calculation. The oracle updated — and reported the inflated price as legitimate.

The protocol trusted this price without additional liquidity thresholds or sanity checks.

That trust cost over $10 million.

How the Exploit Unfolded

Once the oracle reflected the manipulated valuation, the attacker:

• Supplied 13,003 USTRY as collateral
• Borrowed ~1,000,196 USDC
• Supplied an additional 140,000 USTRY
• Borrowed ~61 million XLM

Because the system believed USTRY was worth $106 instead of ~$1, the collateral was massively overvalued. This enabled excessive borrowing and ultimately left the pool with significant bad debt.

No smart contract was broken.
No reentrancy bug.
No logic flaw.

This was purely an economic attack.

Root Cause

The core issue wasn’t Reflector’s infrastructure. It functioned exactly as designed.

The weakness lay in relying on a VWAP model tied to an extremely illiquid market with:

• Less than $1 in hourly volume
• Virtually no order book depth
• No circuit breakers
• No liquidity validation

In thin markets, a single trade can distort price reality. Without safeguards, that distorted price becomes protocol truth.

This exploit reinforces a critical lesson:

Mathematically sound oracle systems can still fail when underlying market conditions are economically unsound.

Fund Movement

After borrowing, the attacker swapped assets into USDC and bridged funds from Stellar to Base using Allbridge, then moved them to Ethereum via Across and Relay. At the time of reporting, a large portion of the funds remains traceable, with some assets frozen and others dispersed across addresses.

Post-Incident Response

Reflector confirmed its infrastructure wasn’t compromised. Script3 coordinated remediation efforts and announced that depositors in the affected pool would be fully compensated. Importantly, the incident was isolated to a single community-managed pool, with no impact on other Blend pools.

The Bigger Takeaway

This wasn’t a coding failure. It was a market design failure.

Thin liquidity + unchecked VWAP models + no circuit breakers = a $10M exploit.

Oracle integrations must account not just for price calculation, but for liquidity quality, market depth and manipulation resistance.

YieldBlox $10M Exploit: How a Single Trade Broke an Oracle was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.