An attacker siphoned roughly $18 million in USDC from Ostium’s liquidity vault on Arbitrum through an oracle manipulation exploit, according to findings from blockchain security firm Blockaid and onchain transaction data.

Blockaid’s analysis revealed that the attacker exploited a registered PriceUpKeep forwarder—a core component of Ostium’s automated infrastructure—to submit fraudulent oracle price updates with future-dated timestamps. These manipulated reports falsely indicated profitable trades, enabling the extraction of $18 million in USDC from the vault.

Ostium, a decentralized perpetuals exchange operating on Arbitrum, facilitates trading of real-world assets such as commodities, foreign exchange, and equity indices, offering up to 200x leverage with USDC settlements. The protocol relies on a proprietary price-feed mechanism to monitor real-world assets, with Gelato’s automation network tasked with transmitting price data to the blockchain. The PriceUpKeep smart contract governs this process, activating to record updated prices during trade execution.

This incident highlights ongoing vulnerabilities in decentralized finance protocols as oracle manipulation attacks persist across the sector.

Source link

Exit mobile version