Someone got the private key that signs Ostium’s price oracle reports. with that key they pushed fake, future dated price data through ostium’s automation system (a contract called PriceUpKeep, triggered by gelato) that made their trades look profitable when they weren’t.

they ran about 20 open/close trade loops in a few hours and drained somewhere between $11.86M and $18M USDC, roughly 28% of the vault’s $63M TVL.

Blockaid caught it and flagged it publicly. Ostium paused trading right after, all positions and user funds are frozen as is while they investigate.

Ostium had raised $27.8M from general catalyst, Jump crypto, Coinbase ventures, Wintermute and GSR, and processed over $50B in cumulative volume. multiple audits too. none of that stopped a compromised signer key from draining the vault, because the exploit lived in oracle infra, not the contract code.

summer.fi also got hit for $6M in a similar oracle/keeper exploit last week. feels like this is becoming the go to attack vector now that contract code itself is actually well audited.

anyone else think oracle key management needs the same scrutiny as multisig treasury keys at this point?

submitted by /u/Bluejumprabbit [link] [comments]r/CryptoCurrencyRead More

You might also be interested in reading Santiment Highlights Five of This Week’s Top Trending Coins: BTC, ETH, DOGE, USDT, EGLD.