An attacker drained approximately $18 million in USDC from Ostium's liquidity vault on Arbitrum in an oracle manipulation exploit detected by blockchain security firm Blockaid, according to onchain data. The attacker leveraged a registered PriceUpKeep forwarder, a component of Ostium's automated infrastructure, to submit oracle price reports with future-dated timestamps. The manipulated reports made losing positions look profitable, which triggered the $18 million USDC payout from the vault.
Ostium is a decentralized perpetuals exchange on Arbitrum that lets users trade real-world assets including commodities, forex, and equity indices with up to 200x leverage, settling in USDC. The protocol runs a custom price-feed system to track those offchain prices, with third-party automation network Gelato responsible for pushing the latest prints onchain at the right moments. A smart contract called PriceUpKeep sits at the center of that process, acting as the trigger that writes price data whenever a trade needs to execute. The attacker compromised that pipeline, not an outside price feed.
Why it matters
The exploit follows a string of oracle and keeper-system attacks across DeFi, most recently a $6 million drain from Summer.fi last week using a similar pattern of gaining access to privileged roles and manipulating the timing or content of price data to extract funds from liquidity pools. The repeat pattern is the story: keeper networks and automated price infrastructure remain a soft underbelly, and protocols that rely on them to bring real-world asset prices onchain inherit that risk.
Market impact
Ostium had raised $27.8 million in total funding, including a $24 million Series A co-led by General Catalyst and Jump Crypto in late 2025, and had processed more than $50 billion in cumulative trading volume. An $18 million loss is a material chunk of that war chest for a protocol in a still-nascent RWA perps vertical, and the incident lands as centralized venues reported record RWA perpetual volumes of $311 billion in June, a contrast that highlights how onchain RWA perps remain a higher-trust surface than the centralized alternative.
Frequently asked questions
-
How did the attacker drain $18M from Ostium?
The attacker used a registered PriceUpKeep forwarder, part of Ostium's Gelato-run price automation on Arbitrum, to submit oracle price reports with future-dated timestamps. The manipulated reads made losing trades appear profitable and triggered an $18 million USDC payout from the protocol's vault.
-
What is Ostium and what does it trade?
Ostium is a decentralized perpetuals exchange on Arbitrum that lets users trade real-world assets including commodities, forex, and equity indices with up to 200x leverage, settling in USDC.
-
Who flagged the Ostium exploit?
Blockchain security firm Blockaid detected the exploit and published the alert, with the onchain drain confirmed by onchain data.
-
How does this compare to the Summer.fi exploit?
The Summer.fi attack last week drained $6 million using a similar pattern of gaining access to privileged roles and manipulating the timing or content of price data to extract funds from liquidity pools.
-
How much had Ostium raised before the exploit?
Ostium had raised $27.8 million in total funding, including a $24 million Series A co-led by General Catalyst and Jump Crypto in late 2025, and had processed more than $50 billion in cumulative trading volume.
CoinDesk