Crypto
Home›Crypto›Market Structure›Ostium exploit triggers $18 million USDC payout via or…
Ostium exploit triggers $18 million USDC payout via oracle manipulation
The attack used a PriceUpKeep forwarder to submit future-dated oracle prices, making losing trades appear profitable and triggering an $18 million USDC payout from Ostium's liquidity vault.
CoinDesk reports that an attacker exploited a registered component of Ostium's price-feed automation system by submitting oracle reports with manipulated future timestamps. The falsified timing made losing trades appear profitable, which triggered an $18 million USDC payout from Ostium's protocol vault.
The incident was detected by blockchain security firm Blockaid, and onchain data shows the attacker used a PriceUpKeep forwarder at the center of Ostium's custom price-feed process. Ostium relies on Gelato, a third-party automation network, to push real-world asset prices onto the blockchain when needed.
Ostium is a decentralized perpetuals exchange on Arbitrum that lets users trade real-world assets such as gold, forex, and equity indices, with settlement in USDC and up to 200x leverage. The protocol had raised $27.8 million in funding and processed more than $50 billion in trading volume before the incident.
The exploit fits a broader pattern of DeFi oracle and keeper-system attacks, CoinDesk notes, including a $6 million drain from Summer.fi last week. In these attacks, the perpetrators typically gain privileged roles to alter the timing or content of price data to extract funds from liquidity pools.
Latest closeGold $4,058.20 ▲1.5%