Top 3 DeFi Incidents in February
YieldBlox DAO: ~$10M
On February 22, 2026, a lending pool operated by YieldBlox DAO on Stellar's Blend V2 was exploited, resulting in losses exceeding $10 million.
The root cause was a dependence on a manipulable price source. Specifically, the USTRY/USDC market on SDEX had extremely low liquidity. The attacker cleared legitimate orders and inserted abnormal ones, artificially inflating the USTRY price from approximately $1.06 to $107. Reflector subsequently updated its price feed with this manipulated value, causing the lending pool to overvalue USTRY collateral severely. Leveraging this inflated collateral valuation, the attacker supplied minimal USTRY collateral and borrowed approximately 1M USDC and 61.2M XLM across two transactions. The stolen assets were then bridged to Base, BSC, and Ethereum.
Importantly, this incident was not caused by a contract vulnerability, but by a configuration failure at the pool-operator level. This case underscores the critical importance of robust, manipulation-resistant price feeds for lending protocols that rely on external Oracles. Protocol operators must exercise extreme caution when selecting and continuously monitoring oracle sources.
View in-depth technical analysis
IoTex: ~$4.4M
On February 21, 2026, IoTeX's ioTube bridge suffered a security breach, resulting in losses exceeding $4.4 million.
The root cause was the private key compromise of the Ethereum-side Validator contract owner. Because the bridge architecture granted full administrative authority to a single owner without multi-signature or timelock safeguards, the attacker was able to invoke the Validator contract's upgrade() function to transfer ownership of both TokenSafe and MintPool contracts to an attacker-controlled address. The attacker then minted over 410M CIOTX via MintPool and drained approximately $4.4M in bridge reserve assets (USDC, USDT, WBTC, WETH, BUSD, etc.) from TokenSafe. According to the project team, approximately 355M of the minted CIOTX tokens have been permanently locked or frozen as of February 26.
This incident is a textbook single-point-of-failure key compromise, underscoring the critical risks of centralized administrative control in cross-chain bridge architectures. Project teams should avoid concentrating critical privileges in a single account, particularly for high-risk operations such as contract upgrades, asset custody, and token minting.
CrossCurve: ~$2.8M
On February 2, 2026, the CrossCurve bridge protocol was exploited across multiple chains, including Ethereum, Arbitrum, and Optimism. The incident resulted in losses of approximately $2.8 million.
The root cause was that the ReceiverAxelar contract exposed a permissionless expressExecute() function that circumvents Axelar Gateway’s standard validation process. Under Axelar's intended security model, cross-chain messages must first be approved by the Gateway and then validated on the destination chain via validateContractCall(). However, the expressExecute() path skipped this process entirely, relying only on whitelist checks using sourceChainand sourceAddress parameters. However, both parameters were user-specified and can be spoofed by the attacker. By crafting a forged message with a whitelisted peer address, the attacker circumvented all security checks and triggered the unlock() function on the Eywa CLP Portal, releasing 999,787,453 EYWA tokens.
This incident demonstrates that fast-track execution paths must enforce the same security assumptions, validation logic, and access control guarantees as standard execution flows. Any optimization that weakens the canonical trust model effectively creates a security bypass.
The information above is based on data as of 00:00 UTC, February 28, 2026.
This concludes the February security incidents brief.
You can learn more in our Security Incidents Library.
Stay informed and stay secure!
