Key facts
- Ostium lost approximately $18 million in USDC due to an oracle manipulation exploit.
- The attacker manipulated future timestamps in price reports submitted by Ostium's automation system.
- This created the appearance of profitable trades, triggering the payout from the protocol's vault.
- Ostium is a decentralized perpetuals exchange on Arbitrum focused on real-world assets.
- The exploit follows a recent $6 million drain from Summer.fi due to similar vulnerabilities.
An attacker has drained approximately $18 million in USDC from the liquidity vault of Ostium, a decentralized perpetuals exchange operating on the Arbitrum network. The exploit, detected by blockchain security firm Blockaid, involved manipulating oracle price reports with future-dated timestamps. This manipulation created the illusion of profitable trades, which then triggered the large USDC payout from Ostium's vault.
Ostium specializes in enabling users to trade real-world assets like gold, forex, and equity indices with up to 200x leverage, settling trades in USDC. The protocol utilizes a custom price-feed system, with the automation network Gelato responsible for pushing real-world asset prices on-chain. A smart contract named PriceUpKeep acts as the trigger for updating price data during trade executions.
This incident is the latest in a series of similar exploits targeting oracle and keeper systems within decentralized finance. Last week, Summer.fi suffered a $6 million drain due to comparable vulnerabilities. These attacks highlight ongoing security challenges in the automated infrastructure that DeFi protocols depend on for integrating real-world data.
Prior to this exploit, Ostium had successfully raised $27.8 million in total funding, including a $24 million Series A round in late 2025. The platform had also processed over $50 billion in cumulative trading volume.
