Overview
- Security firm Blockaid detected the attack on July 15, 2026 and published transaction details showing roughly $18 million in USDC was drained from Ostium’s Arbitrum liquidity vault.
- The attacker abused Ostium’s PriceUpKeep forwarder by submitting future-dated, authorized oracle reports that made losing trades look profitable and triggered a large payout.
- Ostium immediately paused all trading and opened an investigation but has not reported any recovered funds or a final postmortem.
- Onchain traces show the attacker converted part of the stolen USDC to ETH through the Kyber Network and spread funds across multiple wallets to obfuscate the trail.
- The exploit continues a recent pattern of keeper and oracle-manipulation attacks and raises fresh questions about role management, validation of automated price feeds, and protections for liquidity providers.