Is YieldBlox Safe?
Risk Grade: D+ (58/100)
YieldBlox is rated as high risk — extreme novelty, critical interactions, unproven at scale.
High risk — a February 2026 oracle manipulation exploit proved the Reflector VWAP oracle can be manipulated via thin Stellar DEX liquidity, resulting in a $10.2M pool drain and TVL collapse to under $100K.
YieldBlox is Stellar's first DeFi lending protocol, built on the Blend permissionless lending framework and governed by the YBX token. In February 2026 the protocol's community-managed pool suffered a $10.2M oracle manipulation exploit when an attacker inflated the price of the illiquid USTRY collateral asset 100x via a single Stellar DEX trade, draining all pool reserves. Its D+ grade reflects a major exploit on the current codebase, a custom on-chain VWAP oracle with a proven vulnerability to thin-market manipulation, and a TVL collapse to under $100K following the incident.
TVL
$50,000
Mechanisms
8
Interactions
5
Value Grade
D
Key Risks for YieldBlox Users
Reflector, the VWAP oracle used by YieldBlox pools, prices assets based on recent Stellar DEX trading activity. In February 2026 a single manipulative trade in the illiquid USTRY/USDC pair inflated its oracle price 100x (from $1.05 to ~$106), enabling the attacker to borrow $10.2M in XLM and USDC before any protective mechanism triggered. Stellar validators subsequently froze $7.2M of the stolen funds, but this depends on rapid validator coordination.
YieldBlox operates on Blend's permissionless pool framework, which allows governance token holders to approve new collateral assets. The collateral approval process may lack sufficient liquidity-threshold requirements to prevent illiquid assets — like USTRY — from being added as collateral and creating oracle manipulation surfaces.
Post-exploit TVL has collapsed to approximately $50K. Script3 has committed to compensating affected users from organizational funds, but this relies on a centralized commitment rather than on-chain enforcement. The backstop module's capacity was insufficient to cover the $10.2M bad debt.
The YBX governance token has declined approximately 97% from its all-time high of $3.08 and trades at around $0.09. With limited direct revenue-sharing to holders and ongoing emissions of 15M YBX per year, the token faces continued dilutive pressure and a weak incentive structure for new depositors.
Top Risk Factors
- •Custom VWAP oracle (Reflector) prices collateral assets based on recent Stellar DEX trading volume; in February 2026 an attacker placed a single manipulative trade in the illiquid USTRY/USDC pair to inflate the price 100x, enabling them to borrow the entire pool's reserves (~$10.2M) before any protective mechanism triggered.
- •Permissionless pool creation allows governance to approve arbitrary collateral assets on Blend; the YieldBlox DAO's approval of USTRY — a low-liquidity Stellar asset with a single market maker — directly created the oracle manipulation surface that enabled the February 2026 exploit.
- •Post-exploit TVL has collapsed from ~$10M to under $100K, creating severe exit liquidity risk and raising questions about whether the lending pools can attract meaningful capital without oracle infrastructure redesign and restored depositor confidence.
- •Backstop module insurance was insufficient to cover the $10.2M bad debt from the exploit; full user compensation depends on Script3's organizational resources rather than a protocol-native recovery mechanism, creating an unresolved centralized dependency.
How YieldBlox Compares to Peers
YieldBlox ranks #87 of 90 Lending protocols (bottom quartile — among the riskiest). At a risk score of 58/100, it's 21 points riskier than the sector average of 37/100.
Adjacent peers: Maple Finance (C-, 53/100) is ranked just safer, and Radiant Capital (D+, 61/100) is ranked just riskier.
See the full Lending sector leaderboard or the YieldBlox vs Radiant Capital comparison.
Common Questions about YieldBlox
Plain-English answers based on YieldBlox's scores across Hindenrank's 8 risk dimensions. The highest-scoring (riskiest) dimension is Track Record (15/15).
Has YieldBlox ever been hacked or exploited?
YieldBlox has a documented incident history that materially raised its risk grade — the track record dimension scored 15/15, near the high end of the scale. Past exploits, governance failures, or contract issues are baked into this rating. Anyone considering deposits should review the incident details before allocating capital.
How much money is at stake in YieldBlox?
YieldBlox currently holds a small TVL — exit liquidity is a real concern at this size. Smaller TVL means individual depositors carry a larger share of any loss event, and it can be harder to exit a position quickly during stress.
What's the worst-case scenario for YieldBlox?
Hindenrank has identified specific collapse scenarios for YieldBlox. The most prominent: "Reflector VWAP Oracle Manipulation via Illiquid Collateral Asset". The trigger condition is A YieldBlox DAO Pool approves a collateral asset with less than $500K daily SDEX volume, and the asset's sole market maker withdraws all liquidity for 10+ minutes, leaving no valid recent trades for Reflector to aggregate. Reading through the full scenario list on the protocol page is the single best way to understand the actual failure modes — generic "smart contract risk" is rarely the thing that takes a protocol down.
Is YieldBlox regulated or insured?
YieldBlox has low regulatory exposure on Hindenrank's framework (2/10). The protocol is structured in a way that minimizes counterparty and jurisdiction concentration, though regulatory risk in crypto can change rapidly. No DeFi protocol carries FDIC-style insurance — even with low regulatory risk, depositors are not protected in the way bank customers are.
What are the biggest red flags for YieldBlox?
Hindenrank's retail-focused risk audit flagged: Reflector, the VWAP oracle used by YieldBlox pools, prices assets based on recent Stellar DEX trading activity. In February 2026 a single manipulative trade in the illiquid USTRY/USDC pair inflated its oracle price 100x (from $1.05 to ~$106), enabling the attacker to borrow $10.2M in XLM and USDC before any protective mechanism triggered. Stellar validators subsequently froze $7.2M of the stolen funds, but this depends on rapid validator coordination. YieldBlox operates on Blend's permissionless pool framework, which allows governance token holders to approve new collateral assets. The collateral approval process may lack sufficient liquidity-threshold requirements to prevent illiquid assets — like USTRY — from being added as collateral and creating oracle manipulation surfaces. Post-exploit TVL has collapsed to approximately $50K. Script3 has committed to compensating affected users from organizational funds, but this relies on a centralized commitment rather than on-chain enforcement. The backstop module's capacity was insufficient to cover the $10.2M bad debt. On the technical side, 1 critical-severity interaction risk has been identified.
Should beginners deposit into YieldBlox?
YieldBlox carries a D+ grade — among the riskiest protocols in Hindenrank's coverage. Beginners should not deposit here. Anyone considering a position should understand they may lose everything they put in, and should size accordingly.
How does YieldBlox compare to safer Lending alternatives?
YieldBlox is one protocol in Hindenrank's Lending coverage. The safest Lending protocols on the leaderboard tend to share three traits: a long incident-free track record, conservative mechanism design, and high-quality public documentation. Compare YieldBlox against the full Lending ranking before committing capital.
For the full 8-dimension score breakdown, the radar chart, and dependency graph, see the YieldBlox risk report.
Read the Full YieldBlox Risk Report
This protocol has 2 collapse scenarios. 1 critical and 2 high-severity interaction risks identified. See the full mechanism classification, interaction matrix, and deep-dive recommendations.
View Full Report →Get risk alerts before it's too late
Weekly grade changes, downgrade alerts, and new protocol risk findings. Free.