Stellar-Based DeFi Protocol Hacked for $10 Million
What happened
A decentralized finance protocol on the Stellar network, Yieldblock, was reportedly hacked for $10 million. The security breach highlights the persistent smart contract risks within the DeFi ecosystem, even on established blockchains.
Why it matters
- The attack exploited an oracle manipulation vulnerability within a lending pool on YieldBlox, a DAO-managed money market protocol. - The attacker manipulated the price of the USTRY stablecoin from approximately $1.05 to over $100 in a single transaction by targeting the illiquid USTRY/USDC market on Stellar's native decentralized exchange. - This price manipulation was possible because the market maker for the USTRY/USDC pool had withdrawn liquidity, resulting in less than $1 in hourly trading volume leading up to the exploit. - Using the artificially inflated USTRY as collateral, the attacker borrowed and withdrew approximately 61 million XLM and 1 million USDC, amounting to a total value of around $10.2 million. - In a swift response, Stellar network validators coordinated to freeze the attacker's addresses, successfully quarantining 48 million XLM, which is valued at roughly $7.5 million. - The YieldBlox Security Council, which is coordinated by the protocol's developer Script3, has sent an on-chain message to the hacker's Ethereum address, offering a 10% "white hat" bounty for the return of the remaining unfrozen funds. - The oracle provider, Reflector, stated that their service quoted the correct market price and that the exploit was a result of the extreme illiquidity of the targeted asset pair. - This incident was part of a weekend with over $18 million in total assets stolen from various DeFi protocols, including a private key compromise on the IoTeX Bridge.
Key numbers
- A decentralized finance protocol on the Stellar network, Yieldblock, was reportedly hacked for $10 million.
- The attacker manipulated the price of the USTRY stablecoin from approximately $1.05 to over $100 in a single transaction by targeting the illiquid USTRY/USDC market on Stellar's native decentralized exchange.
- This price manipulation was possible because the market maker for the USTRY/USDC pool had withdrawn liquidity, resulting in less than $1 in hourly trading volume leading up to the exploit.
- Using the artificially inflated USTRY as collateral, the attacker borrowed and withdrew approximately 61 million XLM and 1 million USDC, amounting to a total value of around $10.2 million.
Quick answers
What happened in Stellar-Based DeFi Protocol Hacked for $10 Million?
A decentralized finance protocol on the Stellar network, Yieldblock, was reportedly hacked for $10 million. The security breach highlights the persistent smart contract risks within the DeFi ecosystem, even on established blockchains.
Why does Stellar-Based DeFi Protocol Hacked for $10 Million matter?
The attack exploited an oracle manipulation vulnerability within a lending pool on YieldBlox, a DAO-managed money market protocol. The attacker manipulated the price of the USTRY stablecoin from approximately $1.05 to over $100 in a single transaction by targeting the illiquid USTRY/USDC market on Stellar's native decentralized exchange. This price manipulation was possible because the market maker for the USTRY/USDC pool had withdrawn liquidity, resulting in less than $1 in hourly trading volume leading up to the exploit. Using the artificially inflated USTRY as collateral, the attacker borrowed and withdrew approximately 61 million XLM and 1 million USDC, amounting to a total value of around $10.2 million. In a swift response, Stellar network validators coordinated to freeze the attacker's addresses, successfully quarantining 48 million XLM, which is valued at roughly $7.5 million. The YieldBlox Security Council, which is coordinated by the protocol's developer Script3, has sent an on-chain message to the hacker's Ethereum address, offering a 10% "white hat" bounty for the return of the remaining unfrozen funds. The oracle provider, Reflector, stated that their service quoted the correct market price and that the exploit was a result of the extreme illiquidity of the targeted asset pair. This incident was part of a weekend with over $18 million in total assets stolen from various DeFi protocols, including a private key compromise on the IoTeX Bridge.
