Ostium, a decentralized perpetual contract platform focused on real-world assets (RWA) on Arbitrum, suffered a security breach on July 15, 2026, resulting in a loss of approximately $18 million in USDC from its liquidity vault. The attack exploited a leaked oracle signer private key, allowing the hacker to manipulate price feeds and drain about 35% of the vault's funds.
Oracle Key Leak Enables Price Manipulation
According to blockchain security firms including Blockaid, the breach did not stem from a smart contract code vulnerability but from poor oracle key management. The attacker obtained the private key of an oracle signer, bypassing system validation to submit fraudulent price data. Using a registered PriceUpKeep forwarder, the hacker submitted authorized oracle reports with future dates to fabricate favorable asset prices.
The attacker opened a small long position on Bitcoin (BTC) with USDC, submitted a low-price report to enter, then a high-price report to exit, triggering the platform's maximum 900% profit cap. This cycle was repeated roughly 20 times through delegated actions, siphoning funds from the liquidity vault.
$18M Loss and Fund Diversion
On-chain data from Arbiscan shows the main liquidity vault lost between $11.86 million and $18 million in USDC, representing about 35% of Ostium's total vault size, which exceeded $34 million. The hacker has since converted some of the stolen funds into Ethereum (ETH) and distributed them across multiple wallet addresses to evade tracking.
Platform Background and Response
Ostium is a decentralized perpetual exchange specializing in non-crypto assets such as stocks, commodities, forex, and indices, with over 95% of its open interest in these assets. It uses oracle services like Stork Network. The platform has processed over $50 billion in cumulative trading volume and raised $27.8 million from top venture firms including General Catalyst, Jump Crypto, and Coinbase Ventures.
As of press time, the Ostium team is conducting a full investigation and has not released a formal post-mortem. They urge users to monitor official channels on X and Discord for withdrawal guidance and security updates. The incident underscores the critical importance of oracle key management and real-time monitoring in DeFi and RWA protocols.