Author: CryptoSlate
Translation: Deep Tide TechFlow
Deep Tide Introduction: This is not a case of missing signatures but rather that authorized signers submitted price data "from the future." When validation passes but the data itself is toxic, where is the moat of DeFi protocols? Ostium has yet to release the final loss settlement and post-incident report, leaving a huge question mark over the abuse of signer privileges.
The on-chain perpetual trading platform Ostium stated that a security incident lasting five minutes resulted in losses in its public liquidity treasury. Security companies estimate the scale of the vulnerability to be as high as $24 million.
Co-founder Kaledora Kiernan-Linn confirmed that the issue occurred between 14:18 and 14:23 UTC on July 15, affecting the public Ostium liquidity provider (OLP) treasury. She stated the team identified the issue within minutes and coordinated a trading suspension within an hour. The statement did not provide an exact total loss amount, root cause, or final post-incident report.
Security companies noted that the core of the incident was the authorized data, rather than missing signatures. Blockaid and Cyvers stated that a registered PriceUpKeep forwarder submitted an oracle report with a future date, generating false trading profits.
SlowMist stated that the authorized signer provided manipulated data with valid signatures for repeat profitable trades. These descriptions remain to be confirmed in Ostium's post-incident report.
Cryptographic certification can confirm that the report was signed by allowed keys. However, price rationality, timestamp freshness, and settlement security require separate control measures.
The OstiumVerifier code linked from Ostium's security documentation would restore ECDSA signers and check whether the signers were authorized, but this verification function does not enforce price rationality tests or timestamp boundaries.
The code seems not to indicate which implementation version was active during the incident or whether separate contracts were applying these checks. Any timestamp, replay, price deviation, or multi-source protections must run in other parts of the execution path.
Even if stock prices remain static, tokenized stocks as collateral will fail
Ostium's protocol documentation states that OLP treasury holds collateral for traders and instantaneously pays winning trades on-chain. If false profits are accepted for settlement, the treasury liquidity pays for these transactions.

The publicly estimated values have been increasing as tracking continues. Blockaid estimates payments to be close to $18 million, Cyvers estimates $23.7 million, and PeckShield later described about $24 million being withdrawn.
SlowMist’s lower figure of $11.86 million seems to track a visible treasury outflow of $11,862,444.782 USDC in its referenced trade.
SummerFi DeFi's new vulnerability reveals that AI automation has surpassed smart contract risks
PeckShield stated that the withdrawn USDC was converted into 12,080 ETH, and as of their update, 10,540 ETH had entered Tornado Cash. Kiernan-Linn stated that Ostium is collaborating with law enforcement, SEAL 911, and third-party security experts.
This mechanism distinguishes Ostium from a similar issue with the Hedera loan protocol Bonzo Lend that occurred four days ago. Bonzo's incident report stated that its validator accepted a proof without a valid signature. In the case of Ostium, the security companies claimed that the report passed through the authorized signers' path: certification was successful, but the data was allegedly unsafe.
How a zero-signature oracle unlocked $9 million from the Hedera DeFi loan protocol Bonzo Lend
Ostium still needs to confirm whether the signer key was compromised, whether the authorized operator acted maliciously, or if other privileged paths were abused.
Its remedial measures will be judged by whether signer segregation, strict timestamp boundaries, independent price checks, rate limits, and circuit breakers can prevent a trusted path from turning minutes of bad data into yet another treasury payment.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。