Someone got the private key that signs Ostium's price oracle reports. with that key they pushed fake, future dated price data through ostium's automation system (a contract called PriceUpKeep, triggered by gelato) that made their trades look profitable when they weren't.

    they ran about 20 open/close trade loops in a few hours and drained somewhere between $11.86M and $18M USDC, roughly 28% of the vault's $63M TVL.

    Blockaid caught it and flagged it publicly. Ostium paused trading right after, all positions and user funds are frozen as is while they investigate.

    Ostium had raised $27.8M from general catalyst, Jump crypto, Coinbase ventures, Wintermute and GSR, and processed over $50B in cumulative volume. multiple audits too. none of that stopped a compromised signer key from draining the vault, because the exploit lived in oracle infra, not the contract code.

    summer.fi also got hit for $6M in a similar oracle/keeper exploit last week. feels like this is becoming the go to attack vector now that contract code itself is actually well audited.

    anyone else think oracle key management needs the same scrutiny as multisig treasury keys at this point?

    Ostium's $18m exploit was a stolen oracle key
    byu/Bluejumprabbit inCryptoCurrency



    Posted by Bluejumprabbit

    2 Comments

    1. Patient_Craft2195 on

      numbers hold up. small nuance, blockaid didnt explicitly confirm a stolen key, just a compromised forwarder + oracle reports. either way oracle infra is def the new attack surface, [summer.fi](http://summer.fi) and kiloex got hit the same way

    Leave A Reply