YieldBlox lost $10.97 million on Blend V2 when an attacker manipulated the price of USTRY collateral 100x using a single trade in an illiquid market, then borrowed against the inflated valuation. The oracle reported the manipulated price accurately, but the protocol had no safeguards for detecting market anomalies or liquidity thresholds.
On February 22, 2026, an attacker drained $10.97 million in XLM and USDC from YieldBlox's community-managed pool on Blend V2 by exploiting a cascade of failures: USTRY collateral with less than $1 in hourly volume, a VWAP oracle that reported spot prices from a ghost-town market, an adapter that passed raw last prices without deviation checks, and a lending protocol with no circuit breakers. The attacker deposited ~153k USTRY worth $160k at real prices, manipulated its price to $106.74 via a single trade, and borrowed $10.97 million against the inflated collateral. Tier 1 Validators froze 48M XLM before it could move, but the attacker bridged remaining funds to EVM chains via Allbridge and moved them across Ethereum, Base, and BNB Chain. Script3 confirmed all depositors will be compensated and that no other Blend pools were affected.
