Morning Edition · Thursday, July 16, 2026Published at 1:28 AM EDT · New York
Ostium Halts Trading After Attacker Uses Compromised Oracle Key to Drain $18 Million
The attacker controlled a registered price-feed signer and submitted future-dated prices to create fake profits on the Arbitrum perpetuals venue, the latest in a series of oracle and keeper exploits.

Ostium, a perpetual-futures decentralized exchange running on the Arbitrum network, paused all trading on July 15 after an attacker drained close to $18 million in USD Coin from its liquidity vault. The security firm Blockaid, which first flagged the incident, said the attacker gained control of an oracle signer key, the private key that authorizes the protocol's price feed.
The root cause was compromised access control, not a flaw in the smart contract's logic. With a registered signer under their control, the attacker submitted price reports carrying future-dated timestamps, which made losing trades appear profitable. The attacker then ran roughly 20 looped trades through delegated actions to force the vault to pay out. Because the falsified prices came through Ostium's own trusted infrastructure, the contract's verification checks passed. On-chain trackers put the loss between $12 million and $18 million, and some estimates ran higher. No funds have been recovered, and no attribution has been made public.
The Ostium drain is part of a broader pattern. Researchers at DeFiHackLabs this week also published a proof-of-concept for a validation-phase paymaster approval flaw at Lumi Finance, which is built on the ERC-4337 account-abstraction standard, and Ostium follows a reported $6 million drain at Summer.fi the prior week. The shared feature is that the trust boundary keeps moving from the contract code to the off-chain keys and keepers that feed it.
What this means
Perpetuals venues concentrate risk in a small number of price-reporting keys, so a single compromised signer converts directly into a vault drain regardless of how well the contract is audited. Liquidity providers who deposited USD Coin into Ostium's vault bear the loss. The recurring lesson for on-chain derivatives is that oracle and keeper key management, not contract logic, is now the dominant attack surface, which raises the operational cost of running a credible perpetuals protocol.
What to watch
- Whether Ostium's team traces the signer compromise to a leaked key, phishing or an insider, which determines what other venues sharing similar automation are exposed.
- Whether liquidity providers are made whole from treasury funds or absorb the loss, a test of how these venues socialize exploit damage.
Observations to monitor, not financial advice.
Synthesized from: CoinDesk · crypto.news · Polylog editors
Part of a tracked trend
Bridge and Mint Exploits Sustain Heavy DeFi Losses
Over 3-6 months, recurring bridge proof-validation and unauthorized-mint exploits keep monthly DeFi losses elevated, including drains of deprecated contracts.
More from this edition
- DTCC Runs First Live Tokenized Trades of Stocks and Treasuries With Wall Street's Biggest Firms
- Privacy Layer-2 Networks Ship Live Confidential Execution and Pitch It as Institutional Baseline
- Morgan Stanley Wins Preliminary Approval to Pull Crypto Custody, Staking and Lending In-House
- Ether Outpaces Bitcoin as Exchange-Traded Fund Inflows Return, Led Almost Entirely by BlackRock
- Japan's Parliament Reclassifies Bitcoin and Crypto as Financial Products
- China Moves to Treat Crypto Mixer Use as Evidence of Money Laundering
- United States Freezes $131 Million in Tether Tied to Iran's Central Bank
- Base Creator Jesse Pollak Steps Back From App Leadership, Admits Social Strategy Failed
- Stanford Study Says Polymarket's Five-Minute Bitcoin Bets Moved $8.2 Million to Manipulators
- Bitcoin Untouched Since the 2017 Peak Moves $383 Million, as Old and Seized Coins Reawaken
- Trump to Meet Senators as Ethics Fight Threatens Crypto Market-Structure Bill