Ostium’s $18 Million Exploit Used Authorized Reports. That Is the Worst Part

Ostium’s $18 Million Exploit Used Authorized Reports. That Is the Worst Part


A technician working beside server racks in a data center for a ProCoinNews article about Ethereum node hosting. image By Isaac • July 17, 2026 9:56 am •

A smart contract can be perfectly obedient and still empty a vault.

That is the uncomfortable lesson from the attack on Ostium, the Arbitrum-based perpetuals market where an attacker reportedly turned authorized oracle reports into roughly $18 million of artificial trading profit.

Trending: Trump fires US attorney minutes after activist judges installed him, leaving Patty Murray in tatters

The code did not need to be tricked into accepting an invalid message. It accepted data that arrived through a path the system already trusted.

The exploit came through the front door.

Blockaid’s first technical alert described an attacker using a registered PriceUpKeep forwarder and future-dated authorized oracle reports. Those reports created unreal profits on trades, and the Ostium vault paid out about $18 million in USDC.

That distinction matters. This was not the

Continue reading

 

Join the conversation!

Please share your thoughts about this article below. We value your opinions, and would love to see you add to the discussion!