Decentralized perpetuals exchange Ostium suffered an oracle exploit on Wednesday, resulting in the loss of approximately $18 million in USDC. The attack, detected by blockchain security firm Blockaid, involved the compromise of an oracle signer key, which allowed the attacker to submit falsified future-dated price reports.
Using a registered PriceUpKeep forwarder and authorized oracle reports with future timestamps, the attacker created artificial trading profits that triggered a multi-million dollar payout from Ostium’s OLP liquidity vault. Blockaid identified the transaction and wallet address involved, and an investigation into the technical details is ongoing.
Ostium acknowledged the breach in a post on X, stating, “We are aware of the issue with the OLP vault. We have paused all trading. The team is investigating.” At the time of the exploit, the protocol held roughly $63 million in total value locked (TVL), meaning the attacker drained nearly one-third of its liquidity.
Built on the Arbitrum network, Ostium offers perpetual futures tied to real-world assets such as stocks, commodities, forex, and indices. It operates as a decentralized exchange, giving users custody of their funds without requiring personal information. The project has raised approximately $27.8 million from backers including General Catalyst, Jump Crypto, Coinbase Ventures, Wintermute, and GSR.
The incident underscores a brutal year for DeFi security. Over $840 million was stolen from decentralized finance protocols in the first five months of 2026, including $292 million from KelpDAO and $285 million from Drift Protocol. In June, Resolv Labs lost more than $25 million to hackers. Security experts warn that advances in AI are accelerating exploit discovery, with tools like Anthropic’s Claude 4.8 recently helping to uncover a four-year-old vulnerability in Zcash.