July 16, 2026
Ostium Exploit — $18M Drained
Ostium, a leading RWA perpetuals DEX on Arbitrum, was hit with a ~$18M USDC exploit yesterday. The attacker gamed the protocol’s own…

By 0xsk777
2 min read
Ostium, a leading RWA perpetuals DEX on Arbitrum, was hit with a ~$18M USDC exploit yesterday. The attacker gamed the protocol's own price-feed infrastructure to drain ~28% of its $63M OLP liquidity vault.
Here's what happened, how it worked, and why it matters ↓
The Attack Vector
The attacker compromised a registered PriceUpKeep forwarder — a component of Ostium's automated oracle infrastructure (powered by Gelato). This allowed them to submit oracle price reports with future-dated timestamps.
Instead of a classic smart contract exploit, this was a key compromise on the off-chain automation layer.
How the Exploit Unfolded
- Attacker gained access to the oracle signer's private key
- Used it to bypass verification checks on PriceUpKeep
- Submitted falsified, future-dated price data
- Executed ~20 looped trades through delegated actions
- Each trade appeared profitable due to the manipulated prices
- Drained funds in a 5-minute window (14:18–14:23 UTC)
No real market exposure was needed — the attacker manufactured fake profits.
The Damage
- ~$18M USDC extracted (CertiK estimated up to $22M)
- ~28% of OLP vault's $63M TVL gone
- Primary tx: verified on Arbiscan
- Exploiter: 0x321d…bfd9
- Funds were pulled from Ostium's main liquidity pool
Protocol Background
Ostium is no small project:
- $27.8M raised from General Catalyst, Jump Crypto, Coinbase Ventures, Wintermute, GSR
- $50B+ cumulative trading volume
- 75+ trading pairs — stocks, commodities, forex, indices, crypto
- 200x leverage
- Backed by prominent angels: Balaji Srinivasan, Meltem Demirors, Nick van Eck
Response Timeline
Statement from the team (@kaledora):
"This morning, between 14:18–14:23 UTC, Ostium experienced a security issue leading to a loss of funds from the public OLP vault. Our team identified the issue within minutes and immediately began taking steps to contain it, including coordinating to pause trading contracts within the hour."
Broader Context
This is part of a worrying trend:
- Last week: Summer.fi drained for $6M via a similar keeper exploit
- April 2026: $630M in total crypto hack losses (highest since Feb 2025)
- JPMorgan has flagged bridge/oracle security as a key barrier to institutional DeFi adoption
Attackers are increasingly targeting off-chain infrastructure — oracles, automation layers, key management — rather than smart contract bugs alone.
Key Takeaways
- Oracle key management remains the Achilles' heel of DeFi — even well-funded, audited protocols are vulnerable
- RWA perps are growing fast, but the hybrid on-chain/off-chain architecture introduces new attack surfaces
- If you're in DeFi: revoke approvals regularly, especially after incidents
- The industry needs better standards for oracle security and keeper network hardening
Expect more details from Ostium's investigation in the coming days.