Foresight News posted on X (formerly Twitter). Ostium was hit by an exploit after an oracle signer’s private key was stolen, according to Blockaid, which first disclosed the attack details. The key was used to verify external price data, allowing the attacker to submit price reports that appeared legitimate to the protocol.
The attacker used the compromised key to send forged price data with future timestamps through a registered PriceUpKeep relay. The attack path involved opening positions at market prices, calling the performUpkeep function with the forged data so losing positions appeared highly profitable to the protocol, and then immediately closing the positions to extract gains.
Security firm Decurity analyzed one transaction and said the attacker withdrew about $11.86 million in USDC from the vault in a single operation. The cycle was repeated about 10 times, with margin rolling from $1,000 to $80,000 and then to $700,000, producing a per-round return of about 900%.
Before the attack, the OLP vault held about $34 million in USDC and the protocol’s total value locked fell from about $65 million to $37.83 million, indicating that more than 40% of liquidity was drained. Estimates of the loss vary across security firms, with Blockaid putting it at about $18 million, CertiK at about $22 million, and PeckShield at close to $24 million. Ostium has not yet released an official loss figure.
Ostium Suffers Oracle-Key Exploit After $27.8 Million Funding Round
2026-07-16 07:27:36
Disclaimer:
1. The information provided does not constitute investment advice. Investors should make independent decisions and bear all risks themselves.
2. The copyright of this content belongs to the original author. The views expressed herein are solely those of the author and do not represent the stance or position of this website.