The exploit exploited Ostium’s price-reporting system to falsify trades and withdraw $18 million in USDC from its Arbitrum vault.
A hacker manipulated Ostium’s price-feed automation system, submitting falsified oracle data with future timestamps to trigger an $18 million payout in USDC. The attack exploited a registered component of the protocol’s infrastructure, making losing trades appear profitable.
The incident follows a recent $6 million exploit at Summer.fi and underscores persistent vulnerabilities in DeFi oracle systems. Ostium, a perpetuals exchange on Arbitrum, had raised $27.8 million in funding and processed over $50 billion in trading volume before the breach.
Blockchain security firm Blockaid detected the exploit, which targeted Ostium’s liquidity vault. The protocol focuses on real-world assets, including gold, forex, and equity indices.