Oracle

• Aave CAPO Oracle Misfired. $27.78M in Healthy Positions Were Liquidated. March 28, 2026

  On March 10, 2026, Aave's own anti-manipulation oracle system triggered $27.78 million in liquidations against 34 healthy wstETH positions. No hack. No market crash. One automated parameter update.

• BSC Stake Contract Drained $133K via TUR Token Price Manipulation March 27, 2026

  A BSC Stake contract lost $133K after an attacker manipulated spot prices in the low-liquidity TUR-NOBEL pool, inflated staking rewards, and drained the contract via referred accounts -- a textbook unprotected oracle vulnerability flagged by BlockSec Phalcon.

• Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager March 24, 2026

  Oracle issued an out-of-band emergency patch on March 19 for CVE-2026-21992, a CVSS 9.8 unauthenticated RCE affecting Oracle Identity Manager and Web Services Manager. If your org runs either product on versions 12.2.1.4.0 or 14.1.2.1.0, patching cannot wait for the next quarterly cycle.

• YieldBlox: When Your Oracle Trusts a $1 Market March 24, 2026

  An attacker pumped a thinly traded collateral asset 100x on the Stellar DEX and borrowed $10.97 million against the fake price. The oracle had no minimum liquidity threshold -- it just reported what it saw.

• YieldBlox Lost $10.97M Because Its Oracle Trusted a Price Nobody Was Watching March 23, 2026

  On February 22, 2026, a single 50-cent trade on a ghost-town DEX market was enough to drain $10.97M from YieldBlox's lending pool on Stellar. The oracle reported the manipulated price faithfully. Nobody had asked whether the market was worth trusting.