Ostium lost up to $24M after future-dated oracle reports

Ostium’s public liquidity vault paid out up to $24 million after future-dated, authorized oracle reports triggered on-chain settlements during a five-minute incident on July 15.

Ostium’s public liquidity vault executed payouts of as much as $24 million after future-dated, authorized oracle reports produced artificial trading profits and triggered immediate on-chain settlements during a five-minute incident on July 15.

Co-founder Kaledora Kiernan-Linn confirmed the incident ran from 14:18 to 14:23 UTC and affected the Ostium Liquidity Provider (OLP) vault. The team identified the issue within minutes and implemented a trading pause inside the hour. Ostium has not published a final loss total, a technical postmortem, or a full accounting of funds taken from the vault.

Security firms produced differing loss estimates as tracing progressed. One firm placed the payout near $18 million, another estimated about $23.7 million, and a subsequent analysis described roughly $24 million drained. One tracker followed a visible outflow of 11,862,444.782 USDC, valued at about $11.86 million for that single vault outflow. That tracker reported the extracted USDC was swapped into roughly 12,080 ETH and that about 10,540 ETH reached the privacy service Tornado Cash by its update.

Independent security analyses indicate the reports that triggered settlements were validly signed but carried future timestamps. Two firms said a registered PriceUpKeep forwarder submitted future-dated, authorized oracle reports that generated artificial profits. Another analysis described an authorized signer supplying validly signed, manipulated data used for repeated profitable trades. These findings are third-party analyses pending Ostium’s own technical review.

Ostium’s public security documentation links to an OstiumVerifier function that recovers an ECDSA signer and checks whether the signer is authorized. That verifier function does not appear to enforce a price-plausibility check or a timestamp freshness bound. The available code does not specify which implementation was active during the incident or whether other contracts applied additional safeguards. Any timestamp, replay protection, price-deviation checks or multi-source validations would need to run elsewhere in the protocol’s execution path.

Protocol documents explain why the manipulated reports led to direct losses: the OLP vault holds trader collateral and pays winning trades immediately on-chain. If oracle reports produced artificial profits that passed authorization checks, the vault’s liquidity could be used to fund the resulting payouts without further manual approval.

Ostium is working with law enforcement, the response service SEAL 911, and third-party security specialists. The project has not confirmed whether a signer key was compromised, whether an authorized operator acted maliciously, or whether another privileged path was abused. A precise explanation of how future-dated reports were accepted and settled awaits Ostium’s postmortem.

The incident was compared with a separate exploit four days earlier at a different protocol, where a verifier accepted a proof with no valid signature. In Ostium’s case, the authentication step appears to have succeeded while the reported data contained unsafe values that allowed minutes of bad inputs to generate on-chain payouts from the public liquidity pool.

Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.

Articles by this author

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.