Ostium Loses $18M in Oracle Attack That Misled Its Own Power Infrastructure in Pricing

An attacker drained approximately $18 million in USDC from Ostium’s liquidity vault on Arbitrum in an oracle manipulation exploit detected by blockchain security firm Blockaid, according to on-chain data.

According to Blockaid’s alert, the attacker used a registered PriceUpKeep forwarder, a component of Ostium’s automated infrastructure, to submit Oracle price reports with future timestamps. The manipulated reports made the trades appear profitable, which triggered an $18 million USDC payment from the vault.

Ostium is a decentralized perpetual exchange on Arbitrum that allows users to trade real-world assets, including commodities, currencies, and stock indices, with up to 200x leverage, settled in USDC.

Ostium uses a custom price feed system to track real-world asset prices, with a third-party automation network called Gelato responsible for pushing those prices onto the chain at the right time. A smart contract called PriceUpKeep sits at the center of this process, acting as the trigger that writes the latest price data to the blockchain each time a transaction needs to be executed.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top