TLDR
- Ostium, a decentralized trading protocol on Arbitrum, was exploited for an estimated $18–$22 million.
- An attacker manipulated Ostium’s price-feed system using future-dated timestamps to fake profitable trades.
- The exploit triggered an $18 million USDC payout from the protocol’s liquidity vault.
- Ostium paused all trading and urged users to revoke contract approvals while it investigates.
- The attack follows a pattern of oracle-based exploits hitting DeFi protocols throughout 2025 and 2026.
Ostium, a decentralized perpetuals exchange built on the Arbitrum blockchain, halted all trading on July 15 after an attacker drained approximately $18 million in USDC from its liquidity vault.
RWA Perpetual Protocol Ostium Suffers Suspected $18 Million Exploit on Arbitrum
Security firm Blockaid said it detected an exploit involving Ostium Vault on Arbitrum. According to Blockaid, the attacker used a registered PriceUpKeep forwarder and future-dated authorized oracle… pic.twitter.com/2DfIGrRIoR
— Wu Blockchain (@WuBlockchain) July 15, 2026
Blockchain security firms Blockaid and CertiK both flagged the incident. Blockaid put losses at around $18 million, while CertiK estimated the figure closer to $22 million. The protocol said it is still investigating and has not confirmed official figures.
The attack targeted Ostium’s oracle system — the infrastructure that supplies real-world price data to the platform.
According to Blockaid, the attacker used a registered component of Ostium’s automated price-feed system called a PriceUpKeep forwarder. This component is responsible for pushing asset prices onto the blockchain when trades are executed.
The attacker submitted oracle price reports with manipulated, future-dated timestamps. This made losing trades appear profitable, which then triggered the vault to pay out roughly $18 million in USDC.
Ostium posted on X that it paused trading after identifying an issue with its vault. The protocol told users: “With user security being our first concern, we recommend that all users temporarily revoke approvals for our contracts until we can further investigate the recent incident.”
How the Price System Was Exploited
Ostium uses a third-party automation network called Gelato to push real-world asset prices onchain. The PriceUpKeep smart contract sits at the center of this process, acting as the trigger for price updates.
By gaining access to a registered role within that system, the attacker was able to inject false price data at the wrong time, causing the protocol to believe profitable trades had occurred and releasing funds from the vault.
Ostium supports trading in commodities, forex, equity indices, and cryptocurrencies with leverage up to 200x, settling in USDC.
A Growing Pattern of Oracle Attacks
This attack follows a similar exploit at Summer.fi just one week earlier, where $6 million was drained using comparable methods. Security researchers say attackers are increasingly targeting offchain infrastructure like oracle systems rather than exploiting smart contract code directly.
DeFiLlama data shows crypto hacks resulted in nearly $630 million in losses in April alone, the highest monthly total since February 2025. DeFi protocols accounted for the bulk of those losses.
Ostium had raised $27.8 million in total funding, including a $24 million Series A co-led by General Catalyst and Jump Crypto in late 2025. The protocol had processed over $50 billion in cumulative trading volume before the exploit.
JPMorgan analysts flagged in April that bridge and infrastructure security remains a key challenge for DeFi’s path toward institutional adoption.
The protocol’s investigation is ongoing.







