DEV Community

Cryip profile image Saravana kumar
Saravana kumar for Cryip

Posted on • Originally published at cryip.co

$10.8M Oracle Manipulation Exploit on Stellar’s Blend Protocol

#blockchain #web3 #blendprotocal

The DeFi landscape in 2026 continues to be a high-stakes battlefield. On the weekend of February 22, 2026, the Stellar-based lending platform, Blend Protocol, faced a sophisticated "Oracle Manipulation" attack. The target was the community-managed YieldBlox DAO Pool. The result? A staggering loss of approximately $10.8 million.
As developers, we often obsess over reentrancy and access control, but this exploit proves that the Price Oracle remains the ultimate single point of failure.

The Architecture of the Vulnerability

To understand the hack, we must first understand how Blend Protocol interacts with the Stellar Decentralized Exchange (SDEX). Blend is a non-custodial lending protocol where users can create isolated or shared liquidity pools.

The YieldBlox DAO Pool allowed for various assets to be used as collateral. One such asset was USTRY, a yield-bearing Treasury bond issued by Etherfuse.

The Fatal Flaw: Spot Price Dependency
The protocol utilized the Reflector Oracle system. In its configuration for the YieldBlox pool, the oracle was fetching the "Latest Price" (Spot Price) directly from the SDEX.

In low-liquidity environments, the spot price is a "lie" that can be bought. If an asset has thin order books, a relatively small buy order can skyrocket the price perception of the entire protocol.

Technical Execution: The 100x Pump

The attacker followed a classic "Pump-and-Borrow" strategy. Here is the step-by-step breakdown:

  1. Preparation: The attacker identified USTRY as an asset with extremely low liquidity on the SDEX.
  2. Manipulation: By executing a series of aggressive buy orders, the attacker artificially inflated the price of USTRY from its fair value of $1.05 to over $100.
  3. The Oracle Lag: Because the Reflector oracle reported the latest trade price without filtering for volatility or using a Time-Weighted Average Price (TWAP), it broadcasted the $100 price to the Blend Protocol as the "True Price."
  4. Collateralization: The attacker deposited a small amount of USTRY. The protocol, seeing the $100 valuation, treated this "dust" as massive collateral.
  5. The Drain: Against this fake valuation, the attacker borrowed 1 Million USDC and 61 Million XLM.

According to a technical breakdown shared by security researcher Pashov, the incident was not a result of a direct smart contract vulnerability within the Blend protocol itself, but a pure economic manipulation of the oracle's price discovery.

Why TWAP Matters

For developers building on Stellar or any L1, this is a textbook case of why TWAP (Time-Weighted Average Price) is mandatory for lending markets.

A TWAP calculates the average price of an asset over a specific period (e.g., 30 minutes or 1 hour). To manipulate a 30-minute TWAP, an attacker would need to sustain the manipulated price for the entire duration, which is exponentially more expensive and gives monitors time to trigger a "Circuit Breaker."

The Recovery: Stellar’s Unique Safeguards

Unlike Ethereum, where "Code is Law" often means "Gone is Gone," the Stellar ecosystem has unique governance features.

  • Validator Intervention: Stellar’s Tier 1 validators acted with high coordination. They managed to successfully freeze approximately 48 million XLM (valued at ~$7.5M) before the attacker could bridge it out.
  • On-Chain Negotiation: The YieldBlox Security Council, led by Script3, offered a 10% White-hat Bounty if 90% of the funds were returned, promising no legal action.

Lessons for Web3 Developers

If you are building a DeFi protocol today, your security checklist must include these "Post-Blend" rules:
Liquidity-Aware Oracles
Never pull a price for an asset without checking the Depth of the Order Book. If the trade volume is less than the potential borrow limit, that asset should not be used as collateral.
Multi-Source Verification
Don't rely on a single DEX. Cross-reference SDEX prices with off-chain data (CEX) via providers like Chainlink or Pyth. If the price difference (slippage) is >5%, the protocol should automatically pause "Borrowing" functions.
Invariant Monitoring
Set up automated bots to monitor the Total Value Locked (TVL) vs. Total Borrowed. If the ratio shifts by 20% in a single block, trigger a 6-hour "Emergency Pause."

The Future of Stellar DeFi

The Blend Protocol exploit wasn't a failure of Stellar’s Soroban smart contracts; it was a failure of Economic Risk Modeling. As we move deeper into 2026, the complexity of yield-bearing assets like USTRY will only increase.
The core Blend protocol remains secure, but the YieldBlox incident serves as a grim reminder: In DeFi, if the oracle is wrong, the entire protocol is a donation box.

Top comments (0)