Key Takeaways:
- An attacker drained about $18 million USDC from Ostium's liquidity vault on Arbitrum
- The exploit used falsified future-dated oracle reports to generate fake trading profits
- Ostium paused all trading and is investigating the incident
Key Takeaways:

An attacker drained about $18 million in USDC from Ostium's liquidity vault on Arbitrum after compromising the protocol's oracle price-feed system.
"The attacker used a registered PriceUpKeep forwarder and future-dated authorized oracle reports to create artificial trade profit," blockchain security firm Blockaid said in an alert on X.
The exploit targeted Ostium's PriceUpKeep smart contract, a component of the protocol's automated price-feed infrastructure that relies on Gelato, a third-party automation network, to push real-world asset prices onchain. By submitting oracle reports with manipulated future timestamps, the attacker made losing trades appear profitable, triggering repeated open-and-close loops that extracted roughly $18 million USDC from the main liquidity pool. On-chain data shows the stolen funds represented about 28% of Ostium's $63 million in total value locked at the time of the attack.
The breach follows a $6 million drain from Summer.fi last week and highlights persistent vulnerabilities in the keeper and oracle infrastructure that DeFi protocols depend on to bring off-chain price data onchain. Ostium, a decentralized perpetuals exchange on Arbitrum offering up to 200x leverage on tokenized real-world assets including equities, commodities, forex and indices, had raised $27.8 million from investors including General Catalyst, Jump Crypto and Coinbase Ventures.
The primary exploit transaction is publicly verifiable on Arbiscan. Blockaid first flagged the incident, noting that the attacker executed roughly 20 looped trades through delegated actions, bypassing verification checks to submit favorable future prices and instantly profiting at the protocol's expense without genuine market exposure.
Ostium acknowledged the incident on X, writing: "We are aware of the issue with the OLP vault. We have paused all trading. The team is investigating."
The protocol had processed over $50 billion in cumulative trading volume before the incident, according to the company. Despite strong institutional backing and multiple security audits, the exploit exposes the risks inherent in oracle-dependent RWA infrastructure, where a single compromised signer key can bypass verification checks and drain a protocol's primary liquidity pool.
The attack adds to a brutal year for DeFi security. More than $840 million was stolen from DeFi protocols in the first five months of 2026, including $292 million from KelpDAO and $285 million from Drift Protocol, according to industry data. Hackers also targeted Resolv Labs in June, stealing over $25 million.
Security experts warn that advances in artificial intelligence are accelerating vulnerability discovery. Danny Jenkins, CEO and co-founder of ThreatLocker, previously told Decrypt that AI systems are already "far better at reviewing code than most people and finding potential vulnerabilities in it."
This article is for informational purposes only and does not constitute investment advice.