Ostium's Oracle Got Oracle'd 🤝 Perpetual Perp Pain
Back to feed

Ostium's Oracle Got Oracle'd 🤝 Perpetual Perp Pain

Decentralized perpetuals trading protocol Ostium paused trading Wednesday after blockchain security firms Blockaid and CertiK reported an apparent exploit of its OLP liquidity vault, with Blockaid estimating $18 million in losses and CertiK placing the figure at roughly $22 million. Both firms attributed the incident to a compromise of the protocol's oracle system, which supplies external price data for trading. Blockaid said in a post on X that the attacker used a registered PriceUpKeep forwarder and future-dated authorized oracle reports to generate artificial trading profits, triggering a payout in Circle-issued USDC stablecoin from the vault. At the time of the attack, the protocol held about $63 million in total value locked on Arbitrum, meaning the reported losses represented close to one-third of its liquidity.

Ostium announced on X that it paused all trading after identifying the issue affecting the vault and said: "With user security being our first concern, we recommend that all users temporarily revoke approvals for our contracts until we can further investigate the recent incident." The protocol said its team is investigating and has not yet confirmed the cause of the incident or the estimated losses reported by the security firms. Built on Arbitrum, Ostium is an onchain perpetuals trading platform offering leveraged exposure to 75 trading pairs spanning stocks, ETFs, commodities, indices, foreign exchange and cryptocurrencies.

The incident is the latest in a series of high-profile attacks targeting decentralized finance protocols, with researchers noting a shift toward offchain infrastructure such as oracle systems, privileged access and key management rather than purely smart-contract exploits. According to DeFiLlama, crypto hacks resulted in nearly $630 million in losses during April, the highest monthly total since February 2025, with exploits at KelpDAO and Drift Protocol making up more than 80% of that month's total. DeFi hacks remain a persistent challenge; more than $840 million was stolen from DeFi protocols in the first five months of 2026, including $292 million from KelpDAO and $285 million from Drift Protocol, and over $25 million was taken from Resolv Labs in June.

Industry figures have pointed to artificial intelligence as a growing accelerant of exploit discovery. "AI is far better at reviewing code than most people and finding potential vulnerabilities in it," Danny Jenkins, CEO and co-founder of ThreatLocker, previously told Decrypt, warning that newer models such as Mythos could significantly expand those capabilities in what he called an imminent "big problem." In May, security researcher Taylor Horny used Anthropic's Claude Opus 4.8 to identify a four-year-old counterfeiting vulnerability in Zcash, underscoring how frontier AI models are becoming more effective at locating complex software flaws. In an April research note, JPMorgan analysts said bridge security remains a key challenge for the sector, raising questions about whether DeFi can scale to support broader institutional participation, and speaking to Cointelegraph in May, Statemind CEO and Symbiotic co-founder Misha Putiatin said institutions increasingly struggle to quantify hack risk, making them less willing to accept the sector's returns despite growing interest in blockchain-based finance.

Mentioned Coins

$USDC
Share:
Publishercryptonewsroom.xyz
Published
CategorySecurity

Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.

See our Terms of Service, Privacy Policy, and Editorial Policy.