Stellar-Based DeFi Protocol Hacked for $10 Million

- The attack exploited an oracle manipulation vulnerability within a lending pool on YieldBlox, a DAO-managed money market protocol. - The attacker manipulated the price of the USTRY stablecoin from approximately $1.05 to over $100 in a single transaction by targeting the illiquid USTRY/USDC market on Stellar's native decentralized exchange. - This price manipulation was possible because the market maker for the USTRY/USDC pool had withdrawn liquidity, resulting in less than $1 in hourly trading volume leading up to the exploit. - Using the artificially inflated USTRY as collateral, the attacker borrowed and withdrew approximately 61 million XLM and 1 million USDC, amounting to a total value of around $10.2 million. - In a swift response, Stellar network validators coordinated to freeze the attacker's addresses, successfully quarantining 48 million XLM, which is valued at roughly $7.5 million. - The YieldBlox Security Council, which is coordinated by the protocol's developer Script3, has sent an on-chain message to the hacker's Ethereum address, offering a 10% "white hat" bounty for the return of the remaining unfrozen funds. - The oracle provider, Reflector, stated that their service quoted the correct market price and that the exploit was a result of the extreme illiquidity of the targeted asset pair. - This incident was part of a weekend with over $18 million in total assets stolen from various DeFi protocols, including a private key compromise on the IoTeX Bridge.