- Compromised Oracle credentials allow fake market prices to pass off Ostium’s validator as legitimate reports.
- Eight payments to a single wallet helped confirm the final loss of 23,752,746 USDC from the protocol’s OLP vault.
- Traders’ collateral remains isolated, but open positions remain frozen until a safe restart is ready.
- Most of the USDC stolen amounted to 12,084 ETH before Tornado Cash entered, making recovery efforts more difficult.
Ostium has confirmed that the security breach it suffered on July 15 drained 23,752,746 USDC from the protocol’s liquidity provider vault. According to the report, the attacker compromised the off-chain pricing infrastructure and provided false reports that appeared to be legitimate to the platform.
These reports enabled positions to be opened and closed with fabricated profits paid from the Ostium liquidity pool. Trading remains suspended for a while Decision-based platform Strengthens safeguards and prepares for reboot.
How hacked credentials converted fake prices into USDC
Ostium offers perpetual contracts linked to stocks, commodities, currencies, indices and cryptocurrencies, with transactions settled in USDC on resolution. To support these markets, external systems provide prices used for entry, exit, liquidation, and profit calculations.
Meanwhile, liquidity providers deposit USDC into the OLP vault, which covers traders’ profitable positions. As a result, the vault became the source of payment when the fabricated winnings passed through the protocol’s settlement process.
Galaxy research tracking Eight payments to one wallet, including transfers of approximately $11.86 million, $4.49 million, and $3.59 million. Other payments of $2.7 million and $1.08 million were also supported Ostium’s final loss Totaling approximately $23.75 million.
However, the exploitation was not based on market fluctuations or direct failure of the underlying trading contracts. Instead, the attacker obtained credentials connected to two distinct components of the platform’s pricing system.
According to Galaxy, Ostium’s verification tool verified whether each price report had a signature from an authorized oracle site. However, the system has not independently confirmed whether the price provided accurately reflects the broader market.
The attacker was reportedly controlling both the credentials of the authorized signer and the registered PriceUpKeep shipping agent. Together, these privileges allowed future price reports to pass protocol checks before frequent position cycles created artificial gains.
Consequently, the contracts continued to operate according to their programmed rules, but relied on suspicious data. In fact, legitimate credentials made fake market information appear valid, converting manipulated prices into real USDC payouts.
Trading remains frozen while investigators trace the funds
Despite the liquidity treasury suffering huge losses – said Ostium The trader’s collateral remained protected in a separate and isolated contract. Open positions remain frozen, and users cannot modify their margins during a shutdown.
When trading eventually resumes, the protocol will value positions using the reopening price instead of the prices recorded during the suspension. This approach minimizes the impact of market movements that traders cannot respond to while the platform remains unavailable.
Ostium said it temporarily halted trading and froze affected contracts within 60 minutes of the first malicious transaction. Since then, the platform has worked with Mandiant, zeroShadow, Collisionless, SEAL 911, law enforcement, exchanges, bridges, and stablecoin issuers.
Meanwhile, investigators continue to trace the stolen assets and review the infrastructure needed for a safe relaunch. Ostium also promised to provide users with at least 24 hours’ notice before trading contracts reopen.
However, the money has already gone through several stages. Lookonchain reported that the attacker exchanged $23.75 million USD for about 12,084 Ethereum at an average price of about $1,966.
Most entered the ether later Tornado Cashwhich obscures the links between deposits and subsequent withdrawals. As a result, recovering stolen assets has become more difficult for participating investigators and service providers.
The attack affected a platform that recorded more than $50 billion in cumulative trading volume across 75 supported markets. Ostium also raised $24 million in December 2025, bringing its total announced funding to $27.8 million.
Ultimately, the incident illustrates how incomplete infrastructure can undermine otherwise functioning Onchain contracts. Ostium’s recovery will therefore depend on stronger certification controls, independent price verification, and stricter operational safeguards.






