How prices from the future fooled a crypto oracle into paying out up to $24 million
Ostium said a five-minute incident on July 15 drained its public OLP vault, with outside estimates ranging from about $18 million to $24 million. The team confirmed the issue from 14:18 to 14:23 UTC and paused trading within an hour, but has not yet given a final loss total, root cause, or postmortem. Security firms said the exploit likely used validly authorized oracle data, not a missing signature. Blockaid, Cyvers, and SlowMist reported that a permitted signer or forwarder submitted manipulated or future-dated price reports that created artificial trading profits, which the vault then paid out. Ostium’s verifier appears to check signer authorization, but not necessarily price plausibility or timestamp freshness. Ostium says the vault pays winning trades immediately on-chain, so bad oracle data could directly drain liquidity. PeckShield said the stolen USDC was swapped into ETH, with most of it later moved through Tornado Cash. Ostium is working with law enforcement and security partners while investigators determine whether a key was compromised or an authorized path was abused.
