Ostium, an on-chain perpetuals buying and selling platform, stated a five-minute safety incident precipitated losses from its public liquidity vault. Safety companies estimated the exploit at as much as $24 million.
Co-founder Kaledora Kiernan-Linn confirmed that the problem ran from 14:18 to 14:23 UTC on July 15 and affected the general public Ostium Liquidity Supplier (OLP) vault. She stated the staff recognized it inside minutes and coordinated a buying and selling pause throughout the hour. The assertion didn’t give a definitive loss whole, establish the basis trigger, or present a remaining postmortem.
Safety companies stated licensed information, relatively than a lacking signature, sat on the middle of the incident. Blockaid and Cyvers stated a registered PriceUpKeep forwarder submitted future-dated, licensed oracle stories that created synthetic buying and selling income.
SlowMist stated a certified signer equipped validly signed manipulated information used for repeated worthwhile trades. These descriptions stay third-party findings pending Ostium’s postmortem.
Cryptographic authentication can set up {that a} permitted key signed a report. Worth plausibility, timestamp freshness, and settlement security require separate controls.
The OstiumVerifier code linked from Ostium’s safety documentation recovers an ECDSA signer and checks whether or not the signer is allowed, however that verifier perform doesn’t implement a price-plausibility check or timestamp sure.
The code doesn’t seem to establish which implementation was lively throughout the incident or whether or not separate contracts utilized these checks. Any timestamp, replay, price-deviation, or multi-source safeguards must function elsewhere within the execution path.
Ostium’s protocol documentation states that the OLP vault holds merchants’ collateral and pays out successful trades instantly on-chain. If synthetic income have been accepted for settlement, vault liquidity funded the payouts.


Printed estimates rose as tracing continued. Blockaid put the payout close to $18 million, Cyvers estimated $23.7 million, and PeckShield later described roughly $24 million drained.
SlowMist’s decrease $11.86 million determine seems to trace one 11,862,444.782 USDC vault outflow seen in its cited transaction.
PeckShield stated the extracted USDC was swapped into 12,080 ETH and that 10,540 ETH had reached Twister Money by its replace. Kiernan-Linn stated Ostium was working with regulation enforcement, SEAL 911, and third-party safety specialists.
The mechanics distinguish Ostium from an identical challenge with Bonzo Lend, a Hedera lender hit 4 days earlier. Bonzo’s incident report stated its verifier accepted a proof carrying no legitimate signature. In Ostium’s case, safety companies allege the stories got here via a certified signer path: authentication succeeded, however the information was allegedly unsafe.
Ostium nonetheless has to ascertain whether or not a signer key was compromised, a certified operator acted maliciously, or one other privileged path was abused.
Its remediation can be judged by whether or not signer isolation, tight timestamp bounds, unbiased value checks, charge limits, and circuit breakers can forestall one trusted path from turning minutes of dangerous information into one other vault payout.





