Key Highlights
- Blockaid identified an $18 million USDC exploit targeting the Ostium Vault on Arbitrum.
- The attacker allegedly exploited a PriceUpKeep forwarder and future-dated authorized oracle reports to inflate trading profits.
- Ostium paused all trading immediately while investigating the security breach.
Security firm Blockaid has detected a major exploit targeting the Ostium Vault, an on-chain settlement and liquidity layer for Ostium on Arbitrum, resulting in approximately $18 million in USDC being drained from the protocol. The incident, which occurred on Wednesday, highlights ongoing vulnerabilities in decentralized finance (DeFi) protocols that rely on oracles and automated trading mechanisms.
In an X post, Blockaid reported that the attacker exploited a registered PriceUpKeep forwarder combined with future-dated, authorized Oracle reports. By manipulating these components, the exploiter artificially inflated trade profits, triggering a substantial around $18M USDC payout from the vault.
The Crypto Times team tried to reach out to Ostium for a comment on the exploit, but didn’t receive any response yet.
Ostium pauses all trading activity
The transaction was successfully executed roughly one hour ago, as shown in the on-chain records.
Transaction Details
- Status: Success
- Block: 484137113 (410 L1 confirmations)
- Timestamp: July 15, 2026, 02:18 PM UTC
- Transaction Hash: 0x359f8c05b86a4409d60cfba02084334313fd94b19f74a294fb7fc4ea7d4870e0
- Exploiter Address: 0x321df194646029e7a6193ea05573d4b9c398bfd9
The exploit allegedly involved an “Execute Batch” function call, a method that has become a common vector in sophisticated smart contract attacks. Blockaid’s real-time detection system quickly identified and publicized the incident, allowing the broader DeFi community to react swiftly.
In response, Ostium promptly acknowledged the breach. “We are aware of the issue with the OLP vault. We have paused all trading. The team is investigating,” the protocol stated. This rapid response, pausing trading to prevent further losses, is a standard damage-control measure in DeFi exploits. However, with $18 million already transferred, the financial impact is significant for the vault and its liquidity providers.
Understanding the attack vector
Replying to Blockaid’s post, an X user explained the attack flow, saying the Ostium Vault exploit on Arbitrum stemmed from a critical compromise of the PriceUpKeep forwarder and an authorized oracle signer.
The attacker, while holding oracle signer keys, allegedly leveraged two privileges: a registered PriceUpKeep forwarder capable of self-fulfilling orders and an authorized signer able to produce future-dated oracle reports.
In a single atomic executeBatch transaction, the attacker executed a repeating loop: opening trades at MARKET prices, using manipulated performUpkeep calls with artificially favorable oracle prices (showing massive gains), and immediately closing trades.
This cycle was reportedly repeated approximately 10 times, compounding the margin with each round, from 1K to 80K, then 700K, ultimately generating up to 900% profit per round.
More DeFi hacks
Several high-profile DeFi exploits have occurred in 2026. Some notable hacks this month included BonkDAO and Edel Finance attacks.
BonkDAO, the governance body for Solana memecoin BONK, lost approximately $20 million worth of BONK tokens after a malicious governance proposal was approved. The proposal allowed an attacker to drain funds from the DAO’s treasury. The project is now working with exchanges, blockchain partners, and law enforcement to investigate the incident and recover the stolen assets.
Separately, DeFi protocol Edel Finance suffered a flash loan-assisted oracle manipulation exploit, resulting in a $403,000 drain from its xStock lending reserves. Blockaid’s real-time exploit detection system flagged the attack and issued an immediate community alert.
Also Read: Coinbase Backs CLARITY Act to Unlock Its ‘Everything Exchange’
