Decentralized perpetuals protocol Ostium was exploited for 23.75 million USDC, with the attacker immediately swapping the stablecoin proceeds for 12,084 ETH at an average price near $1,966 before routing the bulk of the funds through Tornado Cash.
Why it matters
The exploit is the latest in a string of DeFi drains sized in the tens of millions, and the on-chain trail is now familiar: convert the stablecoin haul into native ETH, then push it through a mixing service to break the audit chain. Tornado Cash remains the destination of choice for high-value attackers despite its 2022 OFAC designation and the ongoing legal fight over whether its immutable smart contracts can be sanctioned at all.
Market impact
Ostium's TVL and any remaining user positions are the immediate casualty, but the broader read is on USDC and on-chain perp venues. A $23.75M hole in a single protocol is a reminder that stablecoin-denominated exploits remain the highest-leverage target for attackers, since the proceeds are instantly convertible into ETH and then into untraceable rails.
Frequently asked questions
-
How much was stolen from Ostium in the exploit?
The attacker drained 23.75 million USDC from the Ostium protocol, then swapped the full amount for 12,084 ETH at an average price near $1,966.
-
Where did the exploiter send the stolen funds?
Most of the ETH proceeds were deposited into Tornado Cash, the mixing service that has been under US sanctions since 2022 and remains a common destination for high-value DeFi attackers.
-
Why do attackers swap stolen USDC for ETH before laundering?
ETH is the most liquid native asset on Ethereum and can be moved into mixers and bridges immediately, while stablecoins are more easily frozen at the issuer level once an address is flagged.
-
Is Tornado Cash still usable after its OFAC designation?
Yes. The smart contracts are immutable and remain live, and a lengthy legal battle over whether OFAC can sanction autonomous code is still unresolved, which is why high-value exploits keep routing through it.
-
What happens to Ostium users after a $23.75M exploit?
User funds sitting in affected pools are typically the first loss, and recovery depends on the root cause: oracle manipulation, private key compromise, or a smart-contract bug each carry different chances of a reimbursement plan from the team or treasury.
Lookonchain