On July 15, 2026, Ostium — a real-world-asset perpetuals exchange on Arbitrum — was drained of approximately $18 million after an attacker seized control of the protocol's price-feed infrastructure and fed it fabricated oracle prices to open and close leveraged trades at will.
What happened
Ostium lets traders take leveraged positions on real-world assets such as gold, forex and equity indices, backed by a USDC liquidity vault — the OLP vault — that acts as counterparty to every trade. The attacker gained control of an oracle signer key and abused a registered PriceUpKeep forwarder, a component of Ostium's automated price-delivery system, to submit future-dated, authorised oracle reports that bypassed the protocol's normal verification. In a single atomic executeBatch transaction they ran roughly 20 looped trades through delegated actions: opening a position at the genuine market price, then using a manipulated performUpkeep call to deliver an artificially favourable price and immediately closing the position at a profit. On-chain trade events showed positions opened at a delivered price of $5,000 and closed near $60,000 — an impossible twelvefold move inside one transaction, confirming at least one price was fabricated on demand. The looping siphoned funds straight from the OLP vault, which held roughly $63 million in total value locked before the attack — meaning close to a third of the protocol's liquidity vanished in one block.
Aftermath
Security firm Blockaid first flagged the draining transactions, with CertiK and other on-chain analysts corroborating the oracle-compromise pattern. Ostium paused all trading on the platform within minutes and began investigating. Reported loss estimates ranged from roughly $12 million to $18 million, with some trackers putting the vault outflow as high as $23.7 million. As of reporting, the funds had not been recovered. Ostium had raised about $27.8 million and processed over $50 billion in cumulative volume before the incident, making the exploit a serious blow to one of Arbitrum's larger RWA-perpetuals venues.
Why it matters
Ostium is the latest entry in 2026's relentless wave of oracle- and price-feed attacks on perpetuals DEXs — and the second Arbitrum perp platform hit in as many days, with Cascade following a day later. The mechanics rhyme almost exactly with KiloEX, where an access-control flaw in a MinimalForwarder let an attacker submit arbitrary signed price updates and open-then-close positions at manipulated prices, and with the classic Mango Markets manipulation. It also lands in the same month as the Bonzo Lend oracle exploit, reinforcing a blunt lesson: a perpetuals protocol is only as trustworthy as the signer keys and forwarders that feed it prices. When the oracle path itself is compromised, every downstream risk check is computing on numbers the attacker chose.
Sources & on-chain evidence
- [01]coindesk.comhttps://www.coindesk.com/business/2026/07/15/ostium-suffers-usd18-million-exploit-as-oracle-attack-wave-continues-to-hit-defi
- [02]decrypt.cohttps://decrypt.co/373566/defi-exploit-ostium-oracle-hack
- [03]theblock.cohttps://www.theblock.co/post/408450/ostium-pauses-trading-after-apparent-18-million-vault-exploit
- [04]crypto.newshttps://crypto.news/blockaid-uncovers-18m-exploit-that-forces-ostium-halt/
- [05]thedefiant.iohttps://thedefiant.io/news/hacks/ostium-halts-trading-after-oracle-exploit-drains-up-to-usd18m-from-vault
- [06]protos.comhttps://protos.com/more-oracle-exploits-as-ostium-loses-over-20m/
- [07]cryptobriefing.comhttps://cryptobriefing.com/ostium-suspends-trading-olp-vault-exploit/