Ostium Vault Loses Up to $18M in Oracle Price Exploit


Ostium’s liquidity vault on Arbitrum lost as much as $18 million in USDC after an attacker used authorized oracle infrastructure to manufacture profitable trades and force repeated payouts.

The exploit used a registered PriceUpKeep forwarder and future-dated price reports carrying valid authorization. The reports allowed the attacker to repeatedly open and close positions against manipulated prices, creating artificial profit without taking genuine market exposure.

A primary exploit transaction shows the Ostium Vault sending approximately 11.86 million USDC through a sequence of trade settlements. Related activity pushed the estimated loss toward $18 million while investigators worked to identify every transaction connected to the incident.

The use of correctly authorized reports points to compromise of an oracle signer private key or equivalent control over the signing path. Ostium had not published a complete postmortem confirming how the attacker obtained that access.

Vault Settlement Mechanism Takes the Hit

The Ostium Vault is the onchain settlement layer for every position traded through the perpetual DEX. Liquidity providers deposit USDC and receive OLP tokens, while a junior buffer supplied by Ostium affiliates and strategic partners is designed to absorb trader profit before losses reach OLP capital.

When a trader closes a profitable position, the vault pays the account immediately in USDC. An offchain hedge is intended to produce an offsetting gain, with daily settlement later returning capital to the onchain buffer.

The manipulated price reports broke that process by making fabricated trading profit eligible for immediate payment without a corresponding legitimate hedge result. Repeated open-and-close actions converted the false prices into direct claims against the vault’s USDC.

The affected PriceUpKeep contract is part of Ostium’s verified Arbitrum deployment alongside the PriceRouter, verifier, trading callbacks and vault contracts. Ostium’s published security records list audits covering oracle handling, trading execution and vault settlement from Zellic, ThreeSigma and Pashov Audit Group.

Ostium Pauses Trading During Investigation

Ostium paused trading while the team investigated the compromised infrastructure, calculated the final loss and reviewed the remaining vault capital. No recovery plan or timeline for reopening had been released during the initial response.

The incident follows several 2026 failures involving vault logic, privileged infrastructure and price verification. Thetanuts Finance lost about $2.1 million after an accounting edge case allowed near-free minting from a legacy vault, although a whitehat secured most of the exposed positions.

Major DeFi and cross-chain exploit losses reached $816.9 million by late May, with oracle manipulation, signer compromise, admin-key failures and vault accounting among the recurring attack paths.

The affected Ostium liquidity structure held roughly $34 million before the attack. An $18 million final loss would remove more than half of that capital, while the 11.86 million USDC visible in the primary transaction represents approximately one-third.