
Hackers drained nearly $24 million from DeFi protocol Ostium by fooling its own oracle
DeFi protocol Ostium, running on Arbitrum, lost nearly $24 million in an attack on its own oracle system — an attacker tricked the protocol into accepting price data timestamped from the future.
How the Attack Worked
According to the investigation, the attacker used a registered PriceUpKeep forwarder — a trusted component through which oracle price reports reach the protocol — to submit correctly signed but manipulated data carrying future-dated timestamps. Because the reports were technically valid and arrived through a trusted channel, Ostium's smart contracts accepted them as genuine, letting the attacker open positions at a price that was guaranteed to be profitable.
According to Ostium's founder, known by the pseudonym Kaledora, the attack itself lasted just five minutes, from 14:18 to 14:23 UTC on July 15. The team spotted the unusual activity almost immediately and paused all of the protocol's trading contracts within an hour of the exploit starting.
How Much Was Stolen, and Where It Went
Initial damage estimates put the loss at around $18 million, but a more detailed analysis by on-chain analytics firm PeckShield, which traced the full chain of transactions, found that nearly $24 million had actually been drained from the protocol. According to PeckShield, the stolen USDC was converted into 12,080 ETH, a significant portion of which later moved through the Tornado Cash mixer.
What This Means in Practice
The Ostium attack continues a recent wave of oracle exploits hitting DeFi: the problem isn't compromised private keys or a bug in the smart contract code itself, but the underlying architecture of trust in data coming from external sources. Even a technically valid, correctly signed oracle report can be weaponized if a protocol doesn't independently check the plausibility of timestamps and the logical consistency of incoming data. For DeFi protocols, it's another argument for stricter validation of oracle inputs, rather than relying on a source's signature alone.
This material is for informational purposes only and is not investment advice.

Comments (0)
No comments yet — be the first!
Related news

'DOG Mode': an Ordinals developer challenges Bitcoin Core's anti-spam policy

Bitcoin pulls back from $65,300 to $63,400: what moved the market overnight
