Ostium has halted buying and selling after an exploit tied to a compromised oracle signer key drained practically $18 million USDC from its liquidity vault, in response to blockchain safety agency Blockaid.
Abstract
- Blockaid linked Ostium’s $18 million exploit to a compromised oracle signer key.
- The attacker drained as much as 28% of the protocol’s $63 million liquidity vault.
- Ostium halted buying and selling as investigators probe the oracle-based assault.
Blockaid reported that the attacker gained management of an oracle signer personal key, permitting them to bypass the protocol’s verification course of and submit future-dated value studies that favored their trades. Utilizing a registered PriceUpKeep forwarder, the attacker repeatedly opened and closed positions by means of delegated actions, extracting earnings with out taking real market danger.
The safety agency mentioned the exploit triggered round 20 buying and selling loops that steadily drained funds from Ostium’s predominant vault. On-chain data present the attacker withdrew between $11.86 million and $18 million USDC, equal to roughly 28% of the protocol’s $63 million complete worth locked on the time of the incident. The first exploit transaction may be verified on Arbiscan.
Ostium, which operates on Arbitrum, presents decentralized perpetual buying and selling for tokenized real-world belongings, together with equities, commodities, international change markets and inventory indices.
Oracle key compromise enabled repeated revenue extraction
As an alternative of exploiting a flaw in sensible contract code, the attacker abused trusted oracle infrastructure after acquiring a sound signer key. In response to Blockaid, the manipulated oracle studies allowed favorable costs to move protocol checks, making every commerce seem official whereas transferring losses to the liquidity vault.
The incident has renewed consideration on oracle safety as decentralized finance protocols more and more rely upon exterior knowledge feeds for pricing. Blockaid attributed the exploit to compromised signing credentials reasonably than a pricing error or market manipulation by means of regular buying and selling exercise.
The protocol has since paused buying and selling whereas the investigation continues. Customers have been suggested to observe Ostium’s official communication channels for updates on withdrawals and any additional restoration measures.
Institutional backing failed to forestall one other safety setback
Earlier than the exploit, Ostium had raised about $27.8 million from buyers together with Normal Catalyst, Bounce Crypto, Coinbase Ventures, Wintermute and GSR. The incident occurred regardless of the undertaking’s institutional backing and a number of safety audits, highlighting that infrastructure exterior audited sensible contracts can nonetheless turn out to be a crucial level of failure.
The assault additionally provides to a collection of current safety incidents affecting crypto platforms. Earlier this month, crypto.information reported that Ctrl Pockets introduced it might completely shut down after a separate safety exploit affecting some Cardano wallets.
The corporate gave customers till Aug. 3 to maneuver their crypto belongings earlier than pockets features, together with sending, receiving and swapping, are disabled, leaving solely restoration phrase exports out there.
Elsewhere within the Arbitrum ecosystem, Secret Community lately proposed migrating its SCRT token from Cosmos to Arbitrum, citing safety considerations, weaker liquidity and growing old code on its present community. The proposal features a one-time Sept. 1 snapshot that will distribute a brand new ERC-20 SCRT token on Arbitrum to eligible native and staked SCRT holders.
As tasks proceed increasing onto Arbitrum, the Ostium exploit demonstrates that securing oracle infrastructure stays as vital as auditing sensible contracts. In response to Blockaid’s findings, a single compromised signer key was sufficient to bypass trusted value verification and inflict multimillion-dollar losses inside hours.


