Ostium, a decentralized perpetuals exchange for real-world assets built on Arbitrum, lost as much as $18 million in USDC on July 15 after an attacker compromised the private key of one of its oracle signers. Blockaid, the security firm that first reported the incident, said the attacker used that access to submit falsified price data and drain a large share of the protocol’s main liquidity vault within hours. The breach raises fresh questions about Oracle’s security across the fast-growing real-world-asset sector.
How the Attacker Compromised Ostium’s Oracle
The attacker gained control of a private key belonging to one of Ostium’s oracle signers, according to Blockaid’s analysis. That access let them bypass the protocol’s verification checks and submit price reports timestamped for future blocks, prices designed to favor trades opened moments earlier.
Using a registered PriceUpKeep forwarder, the attacker authorized these future-dated oracle reports through delegated actions rather than a standard wallet transaction. That allowed them to open and close roughly 20 looped trades against the falsified prices, each one generating profit without any genuine market exposure.

Source: DeFiLlama, Ostium TVL
The attack pulled between $11.86 million and $18 million in USDC from Ostium’s main liquidity vault, according to on-chain records, equal to about 28% of the vault’s $63 million total value locked at the time of the attack. That same vault backs Ostium’s real-world-asset trading across equities, commodities, forex, and indices.
What This Means for DeFi Traders
Ostium had raised approximately $27.8 million from investors including General Catalyst, Jump Crypto, Coinbase Ventures, Wintermute, and GSR, and the protocol had passed multiple audits before this attack.
That combination of funding and audits shows that neither one eliminates the risk associated with how Oracle signer keys are managed. An oracle signer key functions like a master password for price data. When it’s compromised, it can override the automated checks meant to keep a protocol’s price feed honest.
Ostium isn’t the first Arbitrum-based protocol to face this kind of loss this year; Arbitrum froze $71 million in funds stolen from Kelp DAO after a separate exploit earlier in 2026, a sign that L2 DeFi infrastructure still carries real security stakes. Anyone using DeFi protocols that price assets through an oracle should treat signer key security as part of their own risk assessment, not a background detail handled entirely by the platform.
Ostium’s Investigation and Withdrawal Guidance
Ostium’s exploit is under active investigation. Users have been advised to avoid interacting with affected contracts until the team issues further guidance. Traders with open positions or deposits on Ostium should watch the protocol’s official channels for a formal post-mortem, confirmation of the final drained amount, and any plan to address affected users before making further decisions.
What this means for you: Before you trade or deposit funds on a DeFi platform, check whether it relies on an oracle for pricing, and if it does, look for how that platform protects its signing keys, since a compromised key can drain funds even when the smart contract code itself is secure.

