Is YieldBlox Safe?
Risk Grade: D+ (60/100)
YieldBlox is rated as high risk — extreme novelty, critical interactions, unproven at scale.
High risk — a February 2026 oracle manipulation exploit proved the Reflector VWAP oracle can be manipulated via thin Stellar DEX liquidity, resulting in a $10.2M pool drain and TVL collapse to under $100K.
YieldBlox is Stellar's first DeFi lending protocol, built on the Blend permissionless lending framework and governed by the YBX token. In February 2026 the protocol's community-managed pool suffered a $10.2M oracle manipulation exploit when an attacker inflated the price of the illiquid USTRY collateral asset 100x via a single Stellar DEX trade, draining all pool reserves. Its D+ grade reflects a major exploit on the current codebase, a custom on-chain VWAP oracle with a proven vulnerability to thin-market manipulation, and a TVL collapse to under $100K following the incident.
TVL
$50,000
Mechanisms
8
Interactions
5
Value Grade
D
Key Risks for YieldBlox Users
Reflector, the VWAP oracle used by YieldBlox pools, prices assets based on recent Stellar DEX trading activity. In February 2026 a single manipulative trade in the illiquid USTRY/USDC pair inflated its oracle price 100x (from $1.05 to ~$106), enabling the attacker to borrow $10.2M in XLM and USDC before any protective mechanism triggered. Stellar validators subsequently froze $7.2M of the stolen funds, but this depends on rapid validator coordination.
YieldBlox operates on Blend's permissionless pool framework, which allows governance token holders to approve new collateral assets. The collateral approval process may lack sufficient liquidity-threshold requirements to prevent illiquid assets — like USTRY — from being added as collateral and creating oracle manipulation surfaces.
Post-exploit TVL has collapsed to approximately $50K. Script3 has committed to compensating affected users from organizational funds, but this relies on a centralized commitment rather than on-chain enforcement. The backstop module's capacity was insufficient to cover the $10.2M bad debt.
The YBX governance token has declined approximately 97% from its all-time high of $3.08 and trades at around $0.09. With limited direct revenue-sharing to holders and ongoing emissions of 15M YBX per year, the token faces continued dilutive pressure and a weak incentive structure for new depositors.
Top Risk Factors
- •Custom VWAP oracle (Reflector) prices collateral assets based on recent Stellar DEX trading volume; in February 2026 an attacker placed a single manipulative trade in the illiquid USTRY/USDC pair to inflate the price 100x, enabling them to borrow the entire pool's reserves (~$10.2M) before any protective mechanism triggered.
- •Permissionless pool creation allows governance to approve arbitrary collateral assets on Blend; the YieldBlox DAO's approval of USTRY — a low-liquidity Stellar asset with a single market maker — directly created the oracle manipulation surface that enabled the February 2026 exploit.
- •Post-exploit TVL has collapsed from ~$10M to under $100K, creating severe exit liquidity risk and raising questions about whether the lending pools can attract meaningful capital without oracle infrastructure redesign and restored depositor confidence.
- •Backstop module insurance was insufficient to cover the $10.2M bad debt from the exploit; full user compensation depends on Script3's organizational resources rather than a protocol-native recovery mechanism, creating an unresolved centralized dependency.
Risk Score Breakdown
YieldBlox's highest risk area is Track Record (15/15). Here's how each dimension contributes to the overall 60/100 score:
Read the Full YieldBlox Risk Report
This protocol has 2 collapse scenarios. 1 critical and 2 high-severity interaction risks identified. See the full mechanism classification, interaction matrix, and deep-dive recommendations.
View Full Report →Considering an investment?