Ostium Halts Trading After Oracle Exploit Drains up to $18M from Vault

Ostium, an Arbitrum-based perpetuals exchange for trading real-world assets that raised about $27.8 million from backers including General Catalyst and Jump Crypto, halted all trading Wednesday after an attacker manipulated its oracle system to drain as much as $18 million in USDC from its liquidity vault.
Blockaid, an onchain security firm, said the attacker "used a registered PriceUpKeep forwarder and future-dated authorized oracle reports to create artificial trade profit, triggering a ~$18M USDC payout from the vault." The firm disclosed the exploit transaction and the attacker's address, both on Arbitrum. The cited transaction, 0x359f8c05...d4870e0, is confirmed onchain.
Figures Differ
Blockaid pegged the payout at roughly $18 million. Independent onchain observers put the figure lower, with some estimating the drained sum near $11.86 million. Ostium has not published its own accounting of the loss.
The protocol held about $63.3 million in total value locked shortly before the attack, according to DefiLlama data, which would make even the low-end estimate a meaningful share of the vault's balance.
The exploit is the latest to abuse the automated "keeper" and oracle systems that DeFi protocols use to push real-world prices onchain. Summer.fi lost about $6.04 million in a share-price manipulation on July 6, according to its post-mortem. In April 2025, an attacker drained roughly $7.5 million from KiloEx across three chains by impersonating a trusted keeper to feed the protocol false prices, a structure similar to what Blockaid described at Ostium.
The pattern points to a recurring weak spot for protocols that settle trades against off-chain data: the machinery that delivers prices is often trusted by default, and once an attacker controls it, the protocol pays out on trades that never made money.
Trading Paused
Ostium confirmed the incident and paused the market. "We are aware of the issue with the OLP vault. We have paused all trading. The team is investigating," the protocol posted on X.
Ostium lets users trade perpetual contracts on assets such as gold, oil, equity indices and forex from a crypto wallet, with settlement in USDC on Arbitrum, a Layer 2 network. The protocol's OLP vault has supported more than $33 billion in cumulative trading volume across 50-plus markets, according to Ostium.
The component Blockaid says the attacker used sat inside the perimeter Ostium had told security researchers to treat as safe. Ostium's bug bounty scope states that all registered keepers, including PriceUpKeep, "and their forwarders are assumed to be trusted and operating correctly," and that findings requiring a compromised or malicious keeper fall outside the program.
The mechanism and the top-end loss figure are Blockaid's stated findings, and neither has been independently reconciled. Blockaid's post describes a "registered forwarder" and "future-dated authorized oracle reports"; it does not say a private key was compromised, though some accounts of the attack have characterized it that way.
Ostium has not confirmed how the attacker gained the ability to submit the reports, nor has it published a loss tally.
Advertisement
Get an edge in Crypto with our free daily newsletter
Know what matters in Crypto and Web3 with The Defiant Daily newsletter, Mon to Fri
90k+ Defiers informed every day. Unsubscribe anytime.




