Stellar-Based Lending Protocol Hit by Oracle Manipulation Attack

TL;DR:

• An attacker manipulated the price of the USTRY stablecoin from $1.05 to over $100 to drain funds.
• Stellar validators reacted quickly, freezing 80% of the stolen $XLM tokens.
• The development team assures that the attack was an isolated event in a single community pool.

This past weekend, the DeFi ecosystem was hit when the Stellar Blend protocol suffered a $10.8M exploit due to a coordinated oracle manipulation attack. The event resulted in the loss of at least $10.8 million, specifically affecting the autonomous USTRY/$XLM market.

Technical reports on the incident reveal that the attacker managed to artificially inflate the price of the USTRY stablecoin from $1.05 to over $100 in a single transaction. Taking advantage of the inflated price, the hacker used the manipulated oracle to borrow 61 million $XLM and 1 million USDC.

Because USTRY liquidity had been temporarily withdrawn, the system detected no trading activity for a 15-minute window. This operational gap allowed the false price marker to be validated, facilitating the massive withdrawal of assets toward the Ethereum network.

Security Response and Recovery of Stolen Assets

The incident was severe, but Stellar network validators reacted immediately and managed to mitigate the financial impact. Thanks to their action, 80% of the stolen $XLM was frozen, preventing the attacker from liquidating the majority of the loot.

Meanwhile, the YieldBlox Security Council sent an on-chain message to the attacker offering a 10% “white hat” bounty. The proposal seeks the return of the remaining funds in exchange for not initiating legal action and facilitating the return of the 48 million $XLM held in the frozen addresses.

In summary, Script3 developers clarified that the vulnerability was limited to a community-managed pool and does not affect other Blend markets. However, this event highlights the importance of oracle redundancy to prevent price manipulation attacks in the future.