A lending pool belonging to YieldBlox, a “DAO-managed money market” has suffered a hack on the Stellar blockchain, with losses valued at over $10 million.
Script3, the developer of YieldBlox, announced the loss, which happened shortly after midnight (UTC) on Sunday, pointing to oracle manipulation as the cause.
Hacker addresses holding a total of 48 million $XLM worth $7.5 million have been frozen on the Stellar blockchain.
Read more: ‘Bad actor’ Circle slammed for letting stolen $3M $USDC sit unfrozen
Reflector, the firm behind the oracle in question, said its product “quoted correct prices,” pointing to market illiquidity as the cause of the mispricing.
In a thread posted to X, Reflector describes how the attacker targeted the illiquid USTRY/$USDC market on Stellar’s exchange.
The pool’s market maker had “pulled all available liquidity… at some point,” and leading up to the exploit, there was less than $1 hourly volume.
According to the thread, the attacker pushed the price of USTRY from approximately $1.05 to over $100 in a single trade. They then used overvalued USTRY collateral to borrow against, withdrawing $10.2 million of assets.
A total of 61 million $XLM and 1 million $USDC were borrowed from the YieldBlox pool, according to DeFi security firm Decurity. Most of the $USDC was bridged back to Ethereum, and 48 million $XLM has been frozen.
YieldBlox Security Council sent an on-chain message to the hacker’s Ethereum address, offering a 10% bounty if the remaining funds are returned. The message offers to provide instructions on how to return the 48 million $XLM held in the frozen addresses.
Stellar’s $XLM experienced a sharp drop in price shortly after the hack, but has since fully recovered.
Weekend wipeout
After a fairly quiet couple of weeks for DeFi hacks, this weekend saw over $18 million worth of assets stolen.
On Saturday morning, IoTeX Bridge suffered a suspected private key compromise, with losses initially estimated at $8 million.
Security researcher Weilin Li observed the attacker “minted [a] huge amount of IOTX token” before “depositing to Binance for selling”.
However, an update from IoTeX revised the estimated “exploit impact” down to just $2 million. It called the incident “a sophisticated, long-planned attack by professional actors targeting multiple chains.”
Read more: Binance, OKX, HTX, Bybit, Kraken cited in ICIJ scam probe
According to blockchain auditor Peckshield, funds were bridged to bitcoin via THORChain.
THORChain has previously come under fire for profiting off the transfer of illicit funds. A notable example being last year’s $1.5 billion ByBit hack, the laundering of which ZachXBT estimated THORChain profited $200,000.