Ostium Pauses Trading After $18M Oracle Exploit on Arbitrum DEX

Key price-feed architecture: Ostium relies on Gelato to push on-chain price updates, and the PriceUpKeep forwarder acts as the trigger that writes price data; attackers used a registered PriceUpKeep forwarder to submit future-dated oracle reports to fabricate profits.
At the time of the attack, Ostium's on-chain TVL was around $34 million; the reported losses correspond to roughly 32-35% of TVL, i.e., about $12-18 million.
Approximately 20 looped trades were executed through delegated actions enabled by the compromised oracle key.
Ostium has raised about $27.8 million from high-profile investors including General Catalyst, Jump Crypto, Coinbase Ventures, Wintermute, and GSR.
Security experts note this incident comes amid a surge in DeFi exploits in 2026, with AI-assisted vulnerability discovery accelerating exploitation.
Ostium, a real-world asset perpetuals exchange built on Arbitrum, paused all trading on July 15, 2026 after an attacker drained roughly $18 million in USDC from its liquidity vault. CryptoPolitan and TradingView report that security firms Blockaid and CertiK both attributed the incident to a compromised oracle signer private key used to feed fake price data into the protocol.
Some estimates put the total losses higher. Crypto Briefing reported up to $23.7 million drained, while Protos cited losses exceeding $20 million. The wide range reflects an ongoing assessment as investigators piece together roughly 20 looped trades that triggered the payouts.
Ostium relies on a tool called a PriceUpKeep forwarder to push price data on-chain via Gelato, an automation service. The attacker used a compromised oracle signer key to register as a legitimate forwarder. They then submitted future-dated price reports — essentially made-up data showing favorable prices — to create artificial profitable trades.
Those fake trades triggered real payouts from Ostium's OLP liquidity vault. About 20 looped trades were executed this way, according to Crypto Briefing. Each loop drained more USDC until roughly $18 million was gone. The vault acts like a shared pool that backs all trades on the platform, so losses hit every liquidity provider.
At the time of the attack, Ostium held around $34 million in total value locked (TVL), according to CryptoPolitan. The $18 million loss represents roughly 32–35% of that figure — more than one-third of the protocol's entire collateral base wiped out in a single attack.
Value the Markets noted that Ostium had raised about $27.8 million from well-known backers including General Catalyst, Jump Crypto, Coinbase Ventures, Wintermute, and GSR. Despite that high-profile support, the protocol's oracle infrastructure was left exposed through an off-chain key management gap.
Ostium confirmed the trading pause and said it is actively investigating the incident, according to TradingView. The team urged all users to revoke any contract approvals tied to the protocol as a precaution. Revoking approvals cuts off a smart contract's ability to move funds on a user's behalf.
Value the Markets reported that the anomaly was first flagged as a "significant vault anomaly" before the full scope became clear. No timeline for resuming trading has been given publicly.
Security experts say this attack fits a broader pattern. Oracle manipulation — tricking a protocol with false price data — remains one of DeFi's most persistent weaknesses. Protos noted that this incident is part of a surge in DeFi exploits in 2026, with AI-assisted tools now helping attackers find vulnerabilities faster.
The fix, experts say, is straightforward in principle: better key management for oracle signers, stricter checks on incoming price data, and real-time monitoring of automated feed systems like Gelato's PriceUpKeep. The Ostium attack shows what happens when those safeguards are missing from a protocol handling tens of millions in real user funds.
Publishers
18
Articles
13
Reach
31