Ostium, which raised 27.8 million dollars, was pierced by a prophecy machine private key.

CN
2 hours ago
The wave of oracle attacks continues to impact DeFi

By: ChandlerZ, Foresight News

On July 15, the decentralized perpetual contract protocol Ostium on Arbitrum experienced an oracle attack, with the OLP liquidity vault drained of approximately 18 to 24 million USDC. The attacker utilized a leaked oracle signer key to submit forged future timestamp price data through the protocol’s own price reporting infrastructure, repeatedly opening and closing positions around 20 times to withdraw fake profits from the vault.

Security firm PeckShield monitored and reported that approximately 24 million USDC was stolen from Ostium's public OLP vault. The attacker subsequently exchanged these funds for around 12,080 ETH, of which 10,540 ETH has already been transferred to Tornado Cash.

The attacker initially transferred 1 ETH to the wallet address each from ChangeNow and Bybit as initial funding.

The Ostium team has now announced the suspension of all trading, with user positions remaining open and unmodifiable, and the trading margin held unchanged in the frozen trading smart contracts. The team will continue to provide updates regarding the recovery of smart contract activities and the timeline for fund recovery, and will promptly announce any new developments. Currently, the team is in continuous coordination with relevant authorities, SEAL 911, and several security researchers.

Attacking the protocol with its own infrastructure

Ostium uses a custom oracle system to track the prices of real-world assets such as stocks, commodities, and foreign exchange, with price data pushed on-chain as needed by a third-party automation network, Gelato. The core component is a smart contract called PriceUpKeep, which triggers the on-chain recording of the latest price data whenever a transaction needs to be executed.

Blockaid first disclosed the details of the attack, noting that the root cause was the theft of an oracle signer private key. This key is used to verify the authenticity of external price data, and holding it means one can submit price reports to the protocol that appear completely legitimate. The attacker utilized this key to submit forged price data with future timestamps via the registered PriceUpKeep relayer.

The specific operational path was that the attacker opened positions at market prices, then used the forged price data to call the performUpkeep function, turning losing positions into huge profits in the eyes of the protocol, and then immediately closed positions to withdraw profits.

Security firm Decurity analyzed one of the transactions, where the attacker withdrew approximately 11.86 million USDC from the vault in a single operation. The entire cycle was repeated about 10 times, with the margin rolling from $1,000 to $80,000, then to $700,000, with a single round return rate of about 900%.

The source of the attacker's initial funds has been traced: obtaining 1 ETH each from the KYC-free exchange ChangeNow and exchange Bybit as startup funds, injected into wallet address 0x321D...8bfD9.

TVL evaporating by 40%, losses not yet fully assessed

The OLP vault of Ostium allows liquidity providers to deposit USDC to obtain OLP tokens, with the vault paying profits to LPs from transaction fees generated by trading activities. This design makes the vault the counterparty to every trade on the platform. When the attacker created fake profits through forged prices, the "profits" flowed directly from the funds pool that LPs had deposited.

Before the attack, the OLP vault held approximately 34 million USDC, with the protocol's TVL plummeting from about 65 million USDC to 37.83 million USDC, with this attack draining over 40% of the liquidity.

Estimates of the losses by various security firms differ, with Blockaid reporting around 18 million USD in losses, CertiK estimating around 22 million USD, and PeckShield offering a figure close to 24 million USD. Ostium itself has not yet announced an official loss figure.

Ostium issued a statement after the incident, acknowledging the unusual situation of the OLP vault, suspending all trading, and stating that the team is under investigation. The protocol also advised all users to temporarily revoke their authorization to its contracts. Ostium confirmed that traders' funds and open positions are kept in a frozen state but has not yet released any recovery plans or compensation schemes.

A founding duo from Harvard

Ostium was created by Harvard alumni Kaledora Fontana Kiernan-Linn and Marco Antonio Ribeiro, who previously ran cross-platform arbitrage strategies in a hacker house in Cambridge, often facing account freezes and margin confiscations from offshore CFD brokers. Kaledora recalled in a Series A funding letter that these experiences led the team to decide to build a self-custodied, price-transparent on-chain trading protocol.

Ostium positions itself as a decentralized perpetual contract exchange for real-world assets, supporting trading in stocks, commodities, forex, and indices, with a maximum leverage of 200x, settled in USDC. Prior to the attack, the protocol had cumulatively processed over $50 billion in trading volume, with more than 95% of open contracts concentrated in the RWA asset category.

In December 2025, Ostium completed a $20 million Series A financing round, co-led by General Catalyst and Jump Crypto, along with a previously undisclosed $4 million strategic round, totaling $27.8 million in funding, with a post-money valuation of $250 million. Follow-on investors included Coinbase Ventures, Wintermute, GSR, and Susquehanna International Group (SIG), with angel investor Balaji Srinivasan, the former Coinbase CTO.

In April 2026, Ostium launched a decentralized execution layer, with institutions such as Jump participating as hedge partners.

A protocol born out of distrust towards centralized platforms was ultimately breached by a centralized component. The smart contracts had been audited, but the vulnerability of the attack was in the management of the oracle signer key, completely outside the coverage of the contract audit. Ostium's oracle architecture relies on a single signer to verify the legitimacy of price data; once this key is leaked, the attacker can submit any price as recognized by the protocol, rendering the entire verification process moot.

Most security audit companies focus on the smart contract code itself, while the operational security of oracle infrastructure, key custody solutions, and access control for signers are typically classified as operational security, outside the scope of code audit contracts. There exists a gap between the correctness of contract logic and the security of the underlying infrastructure that audits cannot reach. The attacker of Ostium took advantage of this gap.

Three oracle attacks in one week

In the past week, at least three DeFi protocols suffered significant losses due to oracle-related vulnerabilities.

On July 11, Bonzo Finance on the Hedera network lost 9 million USD due to a price data vulnerability exposed by the Supra oracle. Subsequent investigations revealed that Supra had fixed the same vulnerability on 11 other chains prior to the attack; Hedera was the only deployment that had not been patched in time. On July 15 (the same day as Ostium), the DeFi lending platform Summer.fi announced its permanent shutdown after losing 6 million USD in a price manipulation attack the previous week; the seven-year-old team judged that the protocol could not recover from the incident.

According to CertiK’s recent report “Hack3D: First Half of 2026 Report,” there were 344 security incidents in the Web3 ecosystem in the first half of 2026, with total losses of about 1.32 billion USD. Excluding the impact of the 1.45 billion USD security incident faced by Bybit, the loss scale for the first half of the year increased by about 28% year-on-year. Wallet theft caused approximately 450 million USD in losses, being the highest loss type; code vulnerabilities remained the most common attack method, totaling 204 occurrences.

The report stated that attackers are increasingly targeting high-net-worth targets and outdated smart contracts lacking re-audits, with Web3 security risks continuously escalating.

For Ostium's LPs, there are three upcoming points to observe: whether the attacker can be identified, if the funds can be recovered, how Ostium will compensate the affected LPs, and whether the protocol can resume operations after reinforcing its oracle infrastructure. As of publication, there are no answers to these three questions.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To
APP

X

Telegram

Facebook

Reddit

CopyLink