Saturday, February 28, 2026

$10.97 million gone from YieldBlox's community-managed pool on Blend V2, and all it took was one trade in the USTRY/USDC market with less than $1 in hourly volume.

No novel bug, no smart-contract sorcery, just liquidity vaporized the old-fashioned way.

Someone found a collateral asset so thinly traded that fewer than five tokens sat on the ask side of the order book, and they pumped the price 100x with a single transaction.

The Reflector oracle dutifully reported the new price. Blend V2 dutifully accepted the collateral valuation. The attacker dutifully borrowed $10.97 million in XLM and USDC and walked out the door.

YieldBlox has been building on Stellar since 2022. Script3, the team behind it, ran a community-managed pool on Blend V2.

USTRY, a yield-bearing US Treasury stablebond from Etherfuse, was listed as eligible collateral.

The attacker deposited ~153,000 USTRY in two rounds, worth roughly $160k at real prices, and borrowed against it as though it were worth $16 million. USTRY was never stolen. It was the key. The XLM and USDC sitting in the pool were the loot.

Nobody had put a floor on what kind of market conditions that collateral needed to actually hold its value.

Tier 1 Validators scrambled to freeze 48 million XLM - about 80% of the stolen native token. The Security Council sent an on-chain bounty message. The attacker's response was to keep laundering.

When the USTRY/USDC market on the SDEX had less than a dollar in hourly volume and YieldBlox's oracle treated its spot price like gospel - who exactly failed the security review?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.