Ostium has confirmed that its July 15 security breach drained 23,752,746 USDC from the protocol’s liquidity-provider vault. According to the report, the attacker compromised offchain pricing infrastructure and submitted false reports that appeared legitimate to the platform.
Those reports enabled positions to open and close at fabricated profits paid from the Ostium Liquidity Pool. Trading remains suspended while the Arbitrum-based platform strengthens safeguards and prepares a restart.
Ostium offers perpetual contracts linked to stocks, commodities, currencies, indices, and cryptocurrencies, with transactions settling in USDC on Arbitrum. To support these markets, external systems supply the prices used for entries, exits, liquidations, and profit calculations.
Meanwhile, liquidity providers deposit USDC into the OLP vault, which covers profitable trader positions. As a result, the vault became the payout source when fabricated gains passed through the protocol’s settlement process.
Galaxy Research traced eight payments to a single wallet, including transfers worth approximately $11.86 million, $4.49 million, and $3.59 million. Further payouts of $2.7 million and $1.08 million also supported Ostium’s final loss calculation of nearly $23.75 million.
However, the exploit did not depend on market volatility or a direct failure within the core trading contracts. Instead, the attacker obtained credentials connected to two privileged components in the platform’s pricing system.
According to Galaxy, Ostium’s verifier checked whether each price report carried a signature from an approved oracle signer. Nevertheless, the system did not independently confirm whether the submitted price accurately reflected the wider market.
The attacker reportedly controlled both an authorized signer credential and a registered PriceUpKeep forwarder. Together, those privileges allowed future-dated price reports to pass the protocol’s checks before repeated position cycles generated artificial gains.
Consequently, the contracts continued operating according to their programmed rules, but they relied on compromised data. In effect, legitimate credentials made false market information appear valid, converting manipulated prices into real USDC payouts.
Although the liquidity vault suffered major losses, Ostium said trader collateral remained protected in a separate, isolated contract. Open positions remain frozen, and users cannot adjust their margins during the shutdown.
When trading eventually resumes, the protocol will value positions using the reopening price rather than prices recorded during the suspension. This approach reduces the impact of market movements that traders could not respond to while the platform remained unavailable.
Ostium said it paused trading and froze the affected contracts within 60 minutes of the first malicious transaction. Since then, the platform has worked with Mandiant, zeroShadow, Collisionless, SEAL 911, law enforcement, exchanges, bridges, and stablecoin issuers.
Meanwhile, investigators continue tracing the stolen assets and reviewing the infrastructure needed for a secure relaunch. Ostium has also promised to provide users with at least 24 hours’ notice before trading contracts are reopened.
The funds, however, have already moved through several stages. Lookonchain reported that the attacker exchanged 23.75 million USDC for approximately 12,084 ETH at an average price of about $1,966.
Most of the ether later entered Tornado Cash, which obscures links between deposits and subsequent withdrawals. As a result, recovering the stolen assets has become more difficult for investigators and participating service providers.
The attack affected a platform that had reported more than $50 billion in cumulative trading volume across 75 supported markets. Ostium also raised $24 million in December 2025, bringing its total disclosed funding to $27.8 million.
Ultimately, the incident shows how compromised offchain infrastructure can weaken otherwise functional onchain contracts. Ostium’s recovery will therefore depend on stronger credential controls, independent price verification, and tighter operational safeguards.
The post Inside the Ostium Exploit: How False Prices Unlocked a $23.75M Heist appeared first on Blockonomi.