MultiversX Tracker is Live!

Ostium's $18m exploit was a stolen oracle key

All Cryptocurrencies

by COINS NEWS 19 Views

Someone got the private key that signs Ostium's price oracle reports. with that key they pushed fake, future dated price data through ostium's automation system (a contract called PriceUpKeep, triggered by gelato) that made their trades look profitable when they weren't.

they ran about 20 open/close trade loops in a few hours and drained somewhere between $11.86M and $18M USDC, roughly 28% of the vault's $63M TVL.

Blockaid caught it and flagged it publicly. Ostium paused trading right after, all positions and user funds are frozen as is while they investigate.

Ostium had raised $27.8M from general catalyst, Jump crypto, Coinbase ventures, Wintermute and GSR, and processed over $50B in cumulative volume. multiple audits too. none of that stopped a compromised signer key from draining the vault, because the exploit lived in oracle infra, not the contract code.

summer.fi also got hit for $6M in a similar oracle/keeper exploit last week. feels like this is becoming the go to attack vector now that contract code itself is actually well audited.

anyone else think oracle key management needs the same scrutiny as multisig treasury keys at this point?

submitted by /u/Bluejumprabbit
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments