The Stellar-based lending platform Blend Protocol reported a significant exploit over the weekend of February 22, 2026, resulting in a loss of approximately $10.2 million to $10.8 million. The attack specifically targeted the community-managed YieldBlox DAO Pool, while other liquidity pools and the core Blend protocol remain unaffected.
🚨DeFi project Blend (Stellar blockchain) was exploited for $10.5M+ yesterday. Root cause – price manipulation of a virtually zero liqudity asset.
Attacker inflated USTRY price 100x, price oracle reported collateral as 100x more valuable, so attacker borrowed >$10M and ran away. pic.twitter.com/O3si4PUusQ
— pashov (@pashov) February 23, 2026
Source: https://x.com/pashov/status/2025938184903721015?s=20
Technical Breakdown of the Exploit
The incident was not a result of a direct smart contract vulnerability within the Blend protocol itself. Instead, it was an “Oracle Manipulation” attack leveraging the low liquidity of a specific asset on the Stellar Decentralized Exchange (SDEX).
The attacker identified USTRY a yield-bearing Treasury bond issued by Etherfuse as an asset with extremely thin liquidity. By executing a series of trades, the attacker artificially inflated the price of USTRY from approximately $1.05 to over $100, representing a 100x increase.
Blend utilizes the Reflector oracle system to fetch price data from SDEX. Because the protocol relied on the “latest price” without robust safeguards such as time-weighted average prices (TWAP) or multi-source verification the oracle reported the manipulated $100+ price as the legitimate value. Using a small amount of USTRY as collateral, the attacker was able to borrow approximately 1 million USDC and 61 million XLM against the falsely inflated valuation.
Network Response and Asset Recovery
Following the detection of the anomaly, Stellar’s Tier 1 validators acted swiftly to mitigate the damage. A significant portion of the stolen funds was successfully frozen, including approximately 48 million XLM (valued between $7.2M and $7.5M).
The YieldBlox Security Council, coordinated by Script3, has officially reached out to the attacker via an on-chain message. The council has offered a 10% white-hat bounty on the condition that 90% of the funds are returned. The statement indicated that no legal action would be pursued if the funds were returned within the specified window.
Impact and Remediation
The financial impact is currently confined to the YieldBlox DAO Pool. According to official statements from the Blend Capital and Reflector teams, the core Blend protocol and its independent markets remain secure.
While this attack focused on oracle manipulation, it joins a list of recent security challenges facing cross-chain and lending ecosystems, similar to the vulnerabilities detailed in our IoTeX bridge hack full on-chain analysis report.
The teams are now working on implementing advanced oracle protections, including liquidity thresholds and multi-source price aggregation to prevent similar manipulation of illiquid assets.This incident underscores the need for more robust oracle designs in DeFi, particularly on networks like Stellar with thin liquidity markets.
