Login
Sign Up
Woofun AI reports that Ostium, an on-chain perpetuals trading platform, suffered a five-minute security incident draining its public liquidity vault. The breach, estimated at up to $24 million, triggered immediate engagement from PeckShield, Kiernan-Linn, law enforcement, SEAL 911, and third-party security specialists.
The financial impact was rapid and severe. Per Woofun AI, the extracted USDC was swapped into 12,080 ETH, with 10,540 ETH subsequently routed to Tornado Cash. This movement underscores the speed at which exploit proceeds are obfuscated.
Structurally, the vulnerability stemmed from a failure in price validation logic. While cryptographic authentication confirmed a permitted key signed the report, controls for price plausibility, timestamp freshness, and settlement safety were absent. The code did not identify which implementation was active, leaving any timestamp, replay, price-deviation, or multi-source safeguards to operate elsewhere in the execution path.
The investigation now focuses on whether a signer key was compromised, an authorized operator acted maliciously, or another privileged path was abused. Remediation will depend on implementing signer isolation, tight timestamp bounds, independent price checks, rate limits, and circuit breakers to prevent one trusted path from turning minutes of bad data into another vault payout.