73% Quarantined: How Blockaid and Stellar Validators Contained a $10M Price Manipulation Attack

Executive Summary

On February 22, 2026, an attacker manipulated the market price of a low liquidity token on a key decentralized exchange on Stellar, and used the inflated valuation to drain approximately $10.2 million worth of XLM and USDC from a lending protocol on Stellar. The manipulation exploited the low liquidity of USTRY, a minimally traded RWA token, causing the price-feed oracle to publish an inflated asset price that the lending protocol accepted as valid collateral price, enabling the attacker to take out a fraudulent loan. After executing the borrow transaction, the attacker began transferring both XLM and USDC to bridges, exchanges, and intermediary wallets in an attempt to exit the funds.

Blockaid provided real-time forensic analysis, wallet clustering, and cross-chain fund tracing to identify and confirm attacker-controlled accounts. Using that intelligence, Stellar Tier-1 validator operators deployed configuration changes to restrict transactions from those accounts, resulting in approximately ~48 million XLM (~$7.3 million) being effectively quarantined onchain. The team is also working to recoup an additional ~$1.7M through partner collaboration. Blockaid, utilizing a combination of real-time transaction scanning and its Onchain Monitoring platform, worked alongside Stellar Tier-1 validator operators and ecosystem participants to monitor attacker-controlled wallets and related cross-chain addresses, trace multi-hop asset flows, and support response coordination.

This report explains how the exploit unfolded, and lessons it offers for blockchains monitoring ecosystem risk, DeFi protocols relying on oracle live prices or other execution logic signals, and institutions deploying capital onchain.

Lending Protocols, Oracles, and Price Manipulation

Blend is a decentralized lending protocol on Stellar that enables users to supply assets as collateral and borrow against them. Blend, like other lending protocols, requires reliable price inputs in order to determine how much value a deposited asset represents and how much can be borrowed against it. Because smart contracts cannot access external market data directly, Blend relies on oracle systems that publish asset prices onchain.

On Blend, lending pools are created and configured independently, with asset risk parameters defined at the pool level. The affected pool in this incident was part of the YieldBlox DAO community deployment. In this case, the Blend lending pools consumed price data from Reflector, an oracle on Stellar. Reflector derives prices using a volume-weighted average price model calculated from trades executed on the Stellar DEX. While this model is generally stable in active markets, it becomes highly sensitive when trading activity is low, allowing individual transactions to heavily influence the reported price for illiquid assets.

USTRY, the asset whose price was manipulated in this incident, is a tokenized U.S. Treasury asset that brings traditional financial instruments onchain. The USTRY trading pair had almost no trading activity prior to the incident; at the time of the manipulated trade, there were no buy or sell orders remaining on the orderbook to anchor the price. As a result, a single transaction was able to significantly move the price of USTRY and significantly inflate the price feed reported by the oracle.

The Exploit: How it Unfolded

1. Price Manipulation

Just after midnight UTC on February 22, the attacker executed a manage_buy_offer operation on the Stellar DEX that caused USTRY to trade at nearly 100x its historical price.

Because trading activity and liquidity were extremely limited, this single transaction became the dominant input for Reflector’s 300-second aggregation window. The manipulated price persisted across two consecutive price feed updates.

2. Oracle Poisoning

Blend’s oracle wrapper enforced a deviation check using max_dev = 10, meaning price changes greater than 10 percent would be rejected. However, the wrapper compared each new price only to the immediately preceding window. Since both consecutive windows reflected the manipulated price, the calculated deviation was zero. The inflated price therefore passed validation.

USTRY’s reported value increased from approximately $1.05 to approximately $106.73.

3. Loan Collateralization

Using the manipulated valuation, the attacker supplied USTRY as collateral to the affected Blend pool contract: CCCCIQSDILITHMM7PBSLVDT5MISSY7R26MNZXCX4H7J5JQ5FPIYOGYFS

They then borrowed:

61,249,278.31 XLM
1,000,196.70 USDC

At the manipulated oracle price, the position appeared solvent with a health factor of 1.0985. At the true market value of USTRY, the position would have been undercollateralized, leaving the pool with bad debt.

4. Fund Extraction and Routing

Immediately after borrowing, the attacker began routing funds through bridges, exchanges, and intermediary wallets. Approximately $1.71 million in USDC was bridged via: CAOTMWRKNMV5GWSVOMWCTCM5ZZFEQFUSWNLCZXA2KAXD4YG5A4DIPNFT

Funds were transferred to EVM addresses including:

XLM was also routed to ChangeNow and Binance deposit addresses.

Primary exploiter: GBO7VUL2TOKPWFAWKATIW7K3QYA7WQ63VDY5CAE6AFUUX6BHZBOC2WXC
Laundering wallet: GATDQL767ZM2JQTBEG4BQ5WKOQNGAGWZDUN4GYT2UINPEU3RT2UAMVZH

The Response: Real-Time Validator Coordination

XLM, as the native asset of the Stellar network, does not include an issuer-level freeze mechanism. Once funds are held in an account, there is no embedded administrative control to pause or reverse transfers at the asset layer. Containment therefore required action at the validator level rather than through a token-level freeze.

After attacker-controlled wallets were confirmed by Blockaid, Stellar Tier 1 validators coordinated in real time to reject transactions originating from those addresses. Approximately 48,069,094 XLM was effectively quarantined as a result. The funds remained visible onchain but were prevented from further movement, limiting additional losses while the network continued operating normally.

Tier-1 validators had the mechanism to freeze funds, but that capability depended on knowing which accounts to target. Blockaid provided that foundation, identifying and confirming the full set of attacker-controlled addresses through real-time wallet clustering, bridge tracing, and cross-chain fund tracking. The outcome demonstrated decentralized governance operating under live conditions, with validators and ecosystem partners acting collectively to contain risk.

Blockaid’s Stellar Partnership and Chain Support

Blockaid currently supports the Stellar ecosystem through transaction simulation and broader chain-level security coverage. Blockaid also provides Stellar chain support, which entails providing real-time tracking and security for tokens, dApps, and transactions within the ecosystem, thus helping builders and users transact more safely by surfacing malicious behavior before execution.

Beyond Stellar, Blockaid works closely with other major chains including Sui and Hedera, and offers support for 50+ major blockchain ecosystems through our product portfolio that includes End User Protection, Onchain Monitoring, Crypto Fraud Prevention, and Cosigner. Our detection, investigation, and response capabilities operate across wallets, exchanges, protocols, and chains, allowing us to identify threats and coordinate mitigation across the broader crypto infrastructure.

At Blockaid, we actively collaborate with our customers and partners in response efforts during live security incidents. In this case, we worked alongside Stellar validators and ecosystem participants to analyze attacker activity and coordinate mitigation steps in real time, leveraging our cross-chain partner network to help limit further fund movement.

Why Real-Time Onchain Monitoring Matters for Blockchains, Protocols and Institutions

Blockchain usage and adoption is driven by both functionality, and trust. At the same time, the protocols, smart contracts, and tokens on a chain aren’t always airtight when it comes to transaction logic and code security. Hackers look to exploit such vulnerabilities, resulting in impact to chain assets and user trust. This is where Blockaid’s portfolio of products, including Onchain Monitoring, can help protect the chain and its protocols and users from price manipulation and capital erosion.

Securing the Future of RWAs

USTRY, the asset whose price was manipulated in this incident, is a tokenized U.S. Treasury asset that brings traditional financial instruments onchain. Although liquidity in its trading pair was limited at the time of the incident, the underlying asset class represents one of the most widely held and trusted markets globally. As tokenized real-world assets expand across chains, secure price formation and oracle infrastructure become essential. Without strong monitoring and risk controls, low-liquidity conditions in emerging RWA markets can create systemic exposure for protocols and capital allocators.

Conclusion

Oracle manipulation attacks underscore a growing reality in DeFi: risk no longer lives only in smart contracts. Liquidity conditions, oracle price feeds, and ecosystem dependencies are part of the attack surface. Without real-time visibility, price manipulation can quickly cascade into exposure for onchain protocols that rely on affected assets and for institutions allocating capital into those DeFi systems.

Blockaid’s onchain monitoring provides real-time detection of abnormal price shifts, manipulation patterns, and suspicious fund movements across ecosystems. By combining behavioral analytics, wallet clustering, and cross-chain tracing, Blockaid helps chains, DeFi protocols, and institutions identify and contain threats before losses compound.

About Blockaid

Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users, combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3 billion transactions and blocked 585 million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.

Learn more at blockaid.io, and follow us on Twitter and LinkedIn.