Ostium vault stolen: Is there another incident in DeFi security?

CN
2 hours ago

On July 16, 2026, the public OLP treasury of the decentralized perpetual contract protocol Ostium was raided, and this pool, which originally carried the core funds of liquidity providers, was completely emptied in a short period of time. According to PeckShield's monitoring, the attacker first injected 1 ETH into related addresses through ChangeNow and Bybit as "seed capital," and then took advantage of yet undisclosed vulnerabilities to attack the treasury, sweeping away approximately 24 million USDC in one go. More critically, these funds hardly remained on-chain: the stolen USDC was quickly exchanged for about 12,080 ETH, of which approximately 10,540 ETH has been gradually sent to the Ethereum mixing service Tornado Cash, while the whereabouts of about 1,540 ETH remain undisclosed, becoming a key blank in tracking the on-chain fund path. Against the backdrop of frequent attacks on DeFi liquidity treasuries in 2026, the design of the Ostium public treasury, which centrally holds user assets, turns into a systemic loss once breached. This incident once again exposes the structural contradiction in DeFi between “high capital concentration to improve capital efficiency” and “asset protection boundaries that are easily breached.”

Public OLP Treasury Breached: Ostium Targeted Precisely

By design, Ostium is a decentralized perpetual contract protocol, with its frontend serving as the trading interface and leverage tools. The real backbone supporting these leverages and positions is the public OLP treasury—the Ostium Liquidity Provider Pool. Users centralize their funds in the OLP, with the protocol uniformly taking on market-making, betting, and liquidation risks. This "shared treasury" structure trades higher capital efficiency for greater concentration: as long as the treasury contract remains secure, liquidity providers can earn fees according to the rules; once the treasury is breached, all positions and user assets carried within it will be quickly exposed to the same attack vector.

In this incident, it was not a careless user wallet that was attacked, but the entire public OLP treasury itself, with approximately 24 million USDC being entirely siphoned off in one contract-layer strike. The stolen assets were quickly exchanged for about 12,080 ETH, which were then sent in batches to Tornado Cash. For the attacker, this was a “precise targeting” of the core treasury contract; once the weak spots in permission management, parameter configuration, or contract logic were found, they could directly rewrite the ownership of treasury assets. For the protocol and liquidity providers, such a single point of failure under this structure can rapidly magnify into systemic loss. Looking back at frequent similar cases since 2026, it is evident that many DeFi protocols exhibit common vulnerabilities in treasury design and permission layering—overly centralized asset custody and overly centralized control—while Ostium's targeting highlights that these structural risks have not been genuinely resolved.

From ChangeNow to Tornado

Prior to the treasury raid, on-chain indicators had provided a clear “preparatory action” path. Monitoring by PeckShield shows that the attacker first transferred 1 ETH each to the same related address through ChangeNow and Bybit, completing the injection of minimal seed capital. These two seemingly ordinary deposits preceded the formal attack on the Ostium public OLP treasury: having gas, having a testing environment, followed directly by the attack. By the time the attack was executed on July 16, 2026, approximately 24 million USDC had been withdrawn from the treasury and quickly converted into about 12,080 ETH, transforming stable value assets into more easily splittable and transferable general chips on-chain.

What truly made tracking difficult was the path choice after conversion. According to PeckShield's data, of these 12,080 ETH, approximately 10,540 ETH was sent in batches to Tornado Cash—through incremental splits and multiple interactions, around 87% of the attack proceeds entered this mixing service, creating a typical on-chain “attack—cash out—obfuscate” model. Tornado Cash itself does not disclose subsequent recipients, meaning the vast majority of funds flowing out of the treasury have entered an impenetrable black box. The remaining approximately 1,540 ETH has not yet been publicly disclosed regarding its specific whereabouts, representing the largest blank in the current fund recovery chain and a core uncertainty that cannot be bypassed when assessing whether the attacker is still operating in the space or whether there is a risk of secondary transfers.

After the Treasury Breach: A Test of Ostium User Confidence

From the on-chain outcome, approximately 24 million USDC has been withdrawn from the Ostium public OLP treasury and swiftly laundered, which is almost equivalent to cardiac arrest for a small to medium-sized protocol reliant on its treasury as core security for perpetual contracts. Previous incidents of treasury theft in the industry show that once a core fund pool is breached, the related protocol's TVL often declines significantly in a short period. If there is a protocol token, it may also face price pressure due to deteriorating expectations; this is not an “overreaction” from market sentiment, but an instinctive defense from users when liquidity safety is called into question.

In such a scenario, the typical path for users is to: withdraw first, observe later, and then decide whether to return. Fund providers will instinctively choose to withdraw assets from the remaining treasury or related products, watching to see if the team can explain the cause of the attack, seal off vulnerabilities, and propose compensation or repair plans; trading users tend to reduce leverage and exposure in the protocol, locking unrealized risks in wallets they are familiar with. Since 2026, frequent incidents involving DeFi liquidity treasuries have solidified this collective psychology of “withdraw first and then discuss.” As of July 16, 2026, there has been no detailed official handling or compensation plan from the Ostium team regarding this incident in public materials. With the treasury already breached and the attack path not yet fully reconstructed, market sentiment can only oscillate between speculation and concern, and user confidence remains in a state of unresolved pending without effective reassurance.

Concerns About DeFi Security Amid Frequent Treasury Attacks

Placing Ostium back on the timeline of 2026, it is not an isolated incident that occurred suddenly. Research materials have pointed out that since 2026, liquidity core positions similar to the Ostium public OLP treasury have often been targeted, with attackers directly hitting the "funding heart" of the protocol. Many projects remain in the paradigm of “having completed several rounds of audits and remedying issues post-incident,” lacking genuine real-time monitoring and proactive defenses as an industry consensus. In this incident, on-chain anomalies were first captured and disclosed by security firms like PeckShield, with multiple media following up on the same day. However, as of July 16, 2026, the protocol side has not publicly disclosed a detailed handling or compensation plan, and this information vacuum itself is symptomatic of the current DeFi security governance.

Along this fund path, an old character that has repeatedly appeared once again becomes the focus—Tornado Cash. After the attack, the stolen approximately 24 million USDC was quickly exchanged for around 12,080 ETH, of which around 10,540 ETH—about 87% of the stolen assets—has been sent in batches to the mixing service Tornado Cash, while the whereabouts of about 1,540 ETH remain unspecified in public materials. For security teams and potential judicial assistance attempting to reconstruct the event on-chain, once funds enter a mixing pool, the traceability chain is almost severed on-site. The role of mixing tools oscillating between privacy protection and attack laundering has therefore been pushed to the center of controversy. In light of the on-chain trajectory following Ostium, the DeFi industry must acknowledge that the real security issues have far exceeded the audit reports of individual protocols.

Industry Alerts Upgraded: Ostium and DeFi Security

The Ostium public OLP treasury was rapidly siphoned of about 24 million USDC, then quickly exchanged for about 12,080 ETH, of which about 10,540 ETH has been sent to Tornado Cash, leaving only about 1,540 ETH with an unclear destination. This scene of “the treasury being directly drained” is a harsh blow to the imagination regarding protocol security in the entire DeFi world. For participants, this is not an abstract risk in a contract audit report but a direct loss on the core funds of liquidity providers, forcing everyone to recalibrate their risk preferences and position structures between “returns” and the risk of “the treasury potentially being emptied.” The following two observation points will determine the direction of the Ostium incident in the industry narrative: firstly, whether the Ostium team will, after the on-chain funds are basically "laundered," still present a clear disposal and compensation plan, joining the few past projects that attempted “negotiation with the attackers for white-hat outcomes or actively guaranteeing users;” and secondly, whether the unlaundered approximately 1,540 ETH will show signals of return, negotiation markers, or other on-chain signals, retaining tracking space for security institutions and judicial assistance. Multiple security agencies and media have already followed up on this case on the same day, indicating that the safety of liquidity treasuries and the use of mixing tools are becoming core issues in DeFi for 2026. After Ostium, the true necessity of careful attention isn't just the audit results of individual projects, but whether the entire industry can establish higher treasury safety and protocol protection standards beyond the narrative of returns.

Join our community, let's discuss and become stronger together!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To
APP

X

Telegram

Facebook

Reddit

CopyLink