Ostium loses about $18 million after oracle key exploit
Security firm Blockaid said attackers used falsified oracle reports to pull USDC from the Arbitrum-based perpetuals exchange.
By Dev Ramirez · Crypto Correspondent
· 3 min read
Ostium, a decentralized perpetuals exchange, lost about $18 million in USDC on Wednesday after attackers tampered with the pricing system that its trading engine relies on, according to blockchain security firm Blockaid. For users and liquidity providers, the key issue is that a manipulated price feed can turn fake trades into real payouts.
Blockaid said in a post on X that the attackers compromised an oracle signer key. An oracle is a service that brings outside data, such as asset prices, onto a blockchain, where smart contracts can use it. A signer key is used to approve that data as legitimate.
According to Blockaid, the attacker used a registered PriceUpKeep forwarder and authorized oracle reports dated in the future to feed incorrect pricing information into Ostium. That let the attacker create artificial trading gains and trigger a payout from Ostium’s liquidity vault in USDC, the dollar-pegged stablecoin issued by Circle.
Ostium acknowledged the problem on X, writing: “We are aware of the issue with the OLP vault. We have paused all trading. The team is investigating.”
How the attack hit Ostium
Ostium runs on Arbitrum, an Ethereum scaling network. The platform offers perpetual futures, which are derivatives contracts that let traders bet on price moves without an expiration date. Its markets are tied to real-world assets including stocks, commodities, foreign exchange markets and indices, according to Ostium’s website.
The exchange is a DEX, short for decentralized exchange. That means users generally interact through crypto wallets rather than traditional brokerage-style accounts, and the platform says users do not need to provide personally identifiable information.
At the time of the exploit, Ostium held about $63 million in total value locked, according to the reported figures. Total value locked, or TVL, is the amount of crypto deposited in a protocol’s smart contracts. The roughly $18 million loss represented close to one-third of Ostium’s liquidity.
DeFi losses keep piling up
The Ostium exploit adds to a difficult stretch for decentralized finance, or DeFi, the category of blockchain-based financial apps that run without traditional intermediaries such as banks. Decrypt has reported that more than $840 million was stolen from DeFi protocols in the first five months of 2026.
That total included $292 million taken from KelpDAO and $285 million from Drift Protocol, according to Decrypt reporting. In June, Resolv Labs was also hit, with hackers stealing more than $25 million.
Security specialists have also warned that artificial intelligence could make exploit discovery faster. Danny Jenkins, CEO and co-founder of ThreatLocker, previously told Decrypt that “AI is far better at reviewing code than most people and finding potential vulnerabilities in it.” Jenkins said newer models could expand those capabilities, calling it an imminent “big problem.”
Decrypt also reported that security researcher Taylor Hornby used Anthropic’s Claude Opus 4.8 in May to find a four-year-old counterfeiting vulnerability in Zcash. The Ostium incident shows a different weak point: when a protocol trusts an oracle, control over the data-signing process can become a direct path to customer-facing losses.
This story draws on original reporting from Decrypt.