A sophisticated attack on Arbitrum-based DeFi project Ostium has drained approximately $18 million worth of USDC from its liquidity vaults, with blockchain security firm Blockaid attributing the exploit to manipulation of the protocol's oracle timestamp data.
Oracle Time Manipulation Created Fake Profits
The attacker exploited Ostium's 'PriceUpKeep forwarder', an automated infrastructure component, by submitting price data with future timestamps. This made it appear that profitable trades had occurred, tricking the system into automatically releasing $18 million in USDC from the liquidity vaults.
The key vulnerability was not just the price data itself, but the timing information — when the price was recorded. The attack exposed a fundamental weakness in DeFi structures that rely on the integrity of price data feeds.
Ostium's Structure and Attack Vector
Ostium is a decentralized perpetual futures exchange built on Arbitrum, offering up to 200x leverage on real-world assets like commodities, forex, and stock indices. It uses its own price feed system, with the Gelato automation network responsible for updating on-chain prices. The critical trigger in this process is the PriceUpKeep smart contract.
The flaw allowed an attacker with sufficient access or privileges to manipulate the timing or content of price data submissions, precisely the point that was exploited.
Recurring Oracle Vulnerabilities in DeFi
This incident follows a pattern of recent attacks on oracle and keeper systems in DeFi. Just last week, Summer.fi lost approximately $6 million in a similar exploit. These attacks typically involve hijacking or bypassing trusted roles within the system to distort price flows and drain liquidity pools.
Experts note that oracles are both the heart and the most vulnerable point of DeFi protocols.
The Shadow of Rapid Growth
Ostium had raised a total of $27.8 million, including a $24 million Series A round led by General Catalyst and Jump Crypto in late 2025. The project's cumulative trading volume had exceeded $50 billion, reflecting rapid growth. However, this incident has highlighted the structural risks hidden beneath that growth.
The DeFi market remains built on code-based trust, but as this case demonstrates, when the data input process is compromised, that trust can collapse instantly.