Ostium, an on-chain perpetuals trading platform, said a five-minute security incident caused losses from its public liquidity vault. Security firms estimated the exploit at up to $24 million.
Co-founder Kaledora Kiernan-Linn confirmed that the issue ran from 14:18 to 14:23 UTC on July 15 and affected the public Ostium Liquidity Provider (OLP) vault. She said the team identified it within minutes and coordinated a trading pause within the hour. The statement did not give a definitive loss total, identify the root cause, or provide a final postmortem.
Security firms said authorized data, rather than a missing signature, sat at the center of the incident. Blockaid and Cyvers said a registered PriceUpKeep forwarder submitted future-dated, authorized oracle reports that created artificial trading profits.
SlowMist said an authorized signer supplied validly signed manipulated data used for repeated profitable trades. Those descriptions remain third-party findings pending Ostium’s postmortem.
Cryptographic authentication can establish that a permitted key signed a report. Price plausibility, timestamp freshness, and settlement safety require separate controls.
The OstiumVerifier code linked from Ostium’s security documentation recovers an ECDSA signer and checks whether the signer is authorized, but that verifier function does not enforce a price-plausibility test or timestamp bound.
The code does not appear to identify which implementation was active during the incident or whether separate contracts applied those checks. Any timestamp, replay, price-deviation, or multi-source safeguards would have to operate elsewhere in the execution path.
Ostium’s protocol documentation states that the OLP vault holds traders’ collateral and pays out winning trades immediately on-chain. If artificial profits were accepted for settlement, vault liquidity funded the payouts.


Published estimates rose as tracing continued. Blockaid put the payout near $18 million, Cyvers estimated $23.7 million, and PeckShield later described roughly $24 million drained.
SlowMist’s lower $11.86 million figure appears to track one 11,862,444.782 USDC vault outflow visible in its cited transaction.
PeckShield said the extracted USDC was swapped into 12,080 ETH and that 10,540 ETH had reached Tornado Cash by its update. Kiernan-Linn said Ostium was working with law enforcement, SEAL 911, and third-party security specialists.
The mechanics distinguish Ostium from a similar issue with Bonzo Lend, a Hedera lender hit four days earlier. Bonzo’s incident report said its verifier accepted a proof carrying no valid signature. In Ostium’s case, security firms allege the reports came through an authorized signer path: authentication succeeded, but the data was allegedly unsafe.
Ostium still has to establish whether a signer key was compromised, an authorized operator acted maliciously, or another privileged path was abused.
Its remediation will be judged by whether signer isolation, tight timestamp bounds, independent price checks, rate limits, and circuit breakers can prevent one trusted path from turning minutes of bad data into another vault payout.
Crime,DeFi,Derivatives,Featured,BlockAid,Cyvers,ETH,ethereum,usd coin,USDCBlockAid,Cyvers,ETH,ethereum,usd coin,USDC#prices #future #fooled #crypto #oracle #paying #million1784226982



