# Ostium Halts Trading After Attacker Uses Compromised Oracle Key to Drain $18 Million

The attacker controlled a registered price-feed signer and submitted future-dated prices to create fake profits on the Arbitrum perpetuals venue, the latest in a series of oracle and keeper exploits.

- Published: 2026-07-16T05:28:32.899Z
- Canonical: https://polylog.news/crypto/2026-07-16/ostium-halts-trading-after-attacker-uses-compromised-oracle
- Publisher: Polylog (Crypto desk)
- Section: crypto
- Sources: [CoinDesk](https://www.coindesk.com/business/2026/07/15/ostium-suffers-usd18-million-exploit-as-oracle-attack-wave-continues-to-hit-defi), [crypto.news](https://crypto.news/blockaid-uncovers-18m-exploit-that-forces-ostium-halt/), [Polylog editors](https://polylog.news)

Ostium, a perpetual-futures decentralized exchange running on the Arbitrum network, paused all trading on July 15 after an attacker drained close to $18 million in USD Coin from its liquidity vault. The security firm Blockaid, which [first flagged the incident](https://crypto.news/blockaid-uncovers-18m-exploit-that-forces-ostium-halt/), said the attacker gained control of an oracle signer key, the private key that authorizes the protocol's price feed.

The root cause was compromised access control, not a flaw in the smart contract's logic. With a registered signer under their control, the attacker submitted [price reports carrying future-dated timestamps](https://www.coindesk.com/business/2026/07/15/ostium-suffers-usd18-million-exploit-as-oracle-attack-wave-continues-to-hit-defi), which made losing trades appear profitable. The attacker then ran roughly 20 looped trades through delegated actions to force the vault to pay out. Because the falsified prices came through Ostium's own trusted infrastructure, the contract's verification checks passed. On-chain trackers put the loss between $12 million and $18 million, and [some estimates ran higher](https://t.me/BWEnews/16333). No funds have been recovered, and no attribution has been made public.

The Ostium drain is part of a broader pattern. Researchers at DeFiHackLabs this week also published a proof-of-concept for a validation-phase paymaster approval flaw at [Lumi Finance](https://github.com/SunWeb3Sec/DeFiHackLabs/commit/d2da48762fb46cfa58695b0ec664c5b6ebac5128), which is built on the ERC-4337 account-abstraction standard, and Ostium follows a reported $6 million drain at Summer.fi the prior week. The shared feature is that the trust boundary keeps moving from the contract code to the off-chain keys and keepers that feed it.

## What this means

Perpetuals venues concentrate risk in a small number of price-reporting keys, so a single compromised signer converts directly into a vault drain regardless of how well the contract is audited. Liquidity providers who deposited USD Coin into Ostium's vault bear the loss. The recurring lesson for on-chain derivatives is that oracle and keeper key management, not contract logic, is now the dominant attack surface, which raises the operational cost of running a credible perpetuals protocol.

## What to watch

- Whether Ostium's team traces the signer compromise to a leaked key, phishing or an insider, which determines what other venues sharing similar automation are exposed.
- Whether liquidity providers are made whole from treasury funds or absorb the loss, a test of how these venues socialize exploit damage.
