Compromised oracle credentials let false market prices pass Ostium’s verifier as legitimate reports.Eight payouts to one wallet helped confirm the final loss of 23,752,746 USDC from the protocol’s OLP vault.Trader collateral stayed isolated, but open positions remain frozen until a secure relaunch is ready.Most stolen USDC became 12,084 ETH before entering Tornado Cash, making recovery efforts more difficult.Ostium has confirmed that its July 15 security breach drained 23,752,746 USDC from the protocol’s liquidity-provider vault. According to the report, the attacker compromised offchain pricing infrastructure and submitted false reports that appeared legitimate to the platform.An update on where things stand:What happenedOn July 15, Ostium’s LP (liquidity provider) vault was exploited for 23,752,746 USDC. Based on our ongoing investigation, the attacker compromised off-chain infrastructure related to the system that feeds prices into the protocol.…— Ostium (@Ostium) July 19, 2026Those reports enabled positions to open and close at fabricated profits paid from the Ostium Liquidity Pool. Trading remains suspended while the Arbitrum-based platform strengthens safeguards and prepares a restart.How Compromised Credentials Converted Fake Prices Into USDCOstium offers perpetual contracts linked to stocks, commodities, currencies, indices, and cryptocurrencies, with transactions settling in USDC on Arbitrum. To support these markets, external systems supply the prices used for entries, exits, liquidations, and profit calculations.Meanwhile, liquidity providers deposit USDC into the OLP vault, which covers profitable trader positions. As a result, the vault became the payout source when fabricated gains passed through the protocol’s settlement process.Galaxy Research traced eight payments to a single wallet, including transfers worth approximately $11.86 million, $4.49 million, and $3.59 million. Further payouts of $2.7 million and $1.08 million also supported Ostium’s final loss calculation of nearly $23.75 million.However, the exploit did not depend on market volatility or a direct failure within the core trading contracts. Instead, the attacker obtained credentials connected to two privileged components in the platform’s pricing system.According to Galaxy, Ostium’s verifier checked whether each price report carried a signature from an approved oracle signer. Nevertheless, the system did not independently confirm whether the submitted price accurately reflected the wider market.The attacker reportedly controlled both an authorized signer credential and a registered PriceUpKeep forwarder. Together, those privileges allowed future-dated price reports to pass the protocol’s checks before repeated position cycles generated artificial gains. Blockaid detected an @Ostium Vault exploit on Arbitrum.An attacker used a registered PriceUpKeep forwarder and future-dated authorized oracle reports to create artificial trade profit, triggering a ~$18M USDC payout from the vault.More details in — Blockaid (@blockaid_) July 15, 2026Consequently, the contracts continued operating according to their programmed rules, but they relied on compromised data. In effect, legitimate credentials made false market information appear valid, converting manipulated prices into real USDC payouts.Trading Stays Frozen as Investigators Track the FundsAlthough the liquidity vault suffered major losses, Ostium said trader collateral remained protected in a separate, isolated contract. Open positions remain frozen, and users cannot adjust their margins during the shutdown.When trading eventually resumes, the protocol will value positions using the reopening price rather than prices recorded during the suspension. This approach reduces the impact of market movements that traders could not respond to while the platform remained unavailable.Ostium said it paused trading and froze the affected contracts within 60 minutes of the first malicious transaction. Since then, the platform has worked with Mandiant, zeroShadow, Collisionless, SEAL 911, law enforcement, exchanges, bridges, and stablecoin issuers.Meanwhile, investigators continue tracing the stolen assets and reviewing the infrastructure needed for a secure relaunch. Ostium has also promised to provide users with at least 24 hours’ notice before trading contracts are reopened.The funds, however, have already moved through several stages. Lookonchain reported that the attacker exchanged 23.75 million USDC for approximately 12,084 ETH at an average price of about $1,966.Most of the ether later entered Tornado Cash, which obscures links between deposits and subsequent withdrawals. As a result, recovering the stolen assets has become more difficult for investigators and participating service providers.The attack affected a platform that had reported more than $50 billion in cumulative trading volume across 75 supported markets. Ostium also raised $24 million in December 2025, bringing its total disclosed funding to $27.8 million.Ultimately, the incident shows how compromised offchain infrastructure can weaken otherwise functional onchain contracts. Ostium’s recovery will therefore depend on stronger credential controls, independent price verification, and tighter operational safeguards.The post Inside the Ostium Exploit: How False Prices Unlocked a $23.75M Heist appeared first on Blockonomi.