A hacker exploited Ostium, a decentralized perpetuals exchange on Arbitrum, in a sophisticated oracle manipulation scheme that resulted in the loss of $18 million in USDC from the protocol’s liquidity vault.
Attacker exploited automated price-feed system
Blockchain security firm Blockaid first detected the exploit, which targeted a key component of Ostium’s price automation setup known as the PriceUpKeep forwarder. The attacker submitted falsified oracle reports featuring future-dated timestamps, effectively making losing trades appear as if they were profitable.
This manipulation enabled the attacker to trigger an $18 million payout from Ostium’s vault. Blockaid’s analysis shows that the exploit succeeded by leveraging the privileged role of automation components responsible for reporting on real-world asset prices.
The attacker used a registered PriceUpKeep forwarder to push manipulated price data with future timestamps, forcing the protocol to recognize fabricated profits and enabling an $18 million USDC withdrawal from the liquidity vault.
The exploit underscores persistent vulnerabilities across decentralized finance, particularly in the systems that automate and verify price reporting from real-world sources onto blockchains.
Mini dictionary: Ostium is a decentralized trading protocol on Arbitrum that enables users to trade perpetual contracts of real-world assets such as gold, foreign currencies, and equity indices, typically with high leverage and onchain settlement in stablecoins.
Pattern of DeFi oracle system vulnerabilities
Incidents similar to the Ostium attack have plagued other decentralized protocols, with DeFi platforms frequently targeted through exploits involving oracle or keeper infrastructure. Just last week, $6 million was drained from Summer.fi in a comparable attack where privileged components manipulated the timing or content of price data.
Ostium’s system relies on a third-party network called Gelato to automate the delivery of real-world price data to its onchain contracts. The central PriceUpKeep contract writes the latest asset prices to Arbitrum whenever a user executes a trade. Attackers have increasingly targeted these automated update mechanisms, seeking out weaknesses in how and when price data is written to the blockchain.
By controlling or spoofing trusted automation components, bad actors can fabricate trading outcomes on paper and extract protocol funds by triggering illegitimate settlements.
| Platform | Date of Exploit | Loss Amount | Attack Vector |
|---|---|---|---|
| Ostium | June 2026 | $18 million | Oracle manipulation via PriceUpKeep |
| Summer.fi | June 2026 | $6 million | Keeper/oracle system breach |
Ostium’s growth and funding background
Before the exploit, Ostium had raised a total of $27.8 million, including a $24 million Series A co-led by venture investors General Catalyst and Jump Crypto in late 2025. The protocol had also reported over $50 billion in cumulative trading volume, reflecting strong user interest in onchain derivatives tied to real-world markets.
At the time of the incident, Ostium allowed traders to access commodities, forex pairs, and equity indices, offering up to 200x leverage and USDC-settled contracts.
Ongoing investigations are underway after security alerts surfaced, with the extent of the attacker’s identity and the possibility of recovering the drained funds currently unknown.
Incidents like Ostium’s highlight the risks associated with DeFi protocols’ increasing reliance on complex automation and oracle infrastructure, especially when these systems are entrusted with large amounts of investor capital.




