Ostium’s $18M exploit raises a bigger question: Is ‘instant settlement’ worth the risk?
Is imposing settlement delays the best way to mitigate crypto hacks.
Ostium, a perpetual decentralized exchange (DEX) on Arbitrum, has suffered an oracle exploit that has led to an $18M loss.
In the latest security update on the 16th of July, the DEX said that it has paused trading, adding that,
Trading remains paused following the security incident. User positions remain open and unmodifiable, and trader margin remains unmoved in frozen trading smart contracts.

According to security firm Blockaid, the attacker fed fake future prices to an oracle pricing system of an Ostium vault. This tricked the vault into thinking that the attacker had made a massive trading win. As a result, it allowed the hacker to move $18M worth of USDC from the vault.
In other words, the vault’s pricing system was not designed to verify price data from multiple sources. Sounds familiar? This was a similar fault with the Binance pricing system that triggered the October price crash.
Ostium: Is instant settlement enabling crypto hacks?
In a surprising recommendation, BackPack’s Amramni Ferrante urged Ostium and any crypto platform to ‘kill instant settlement’ to deal with the rising hacks.
You want to stop getting hacked? Kill instant settlement. It’s just not worth it. Every exchange and protocol should add mandatory withdrawal delays.
In July, losses from crypto hacks have now hit $57.25M. Some of the key hacked projects include BonkDAO, Bonzo Lend, Lazy Summer Protocol, and more. Overall, about $992M has been lost in 2026 to crypto hacks.
The trend continues in H2, despite a declining rate in the value of stolen funds.
As the stolen funds rise towards the $1B mark, Ferrante questioned,
At what point is enough, enough? People will hate it. People might dunk on me for saying this, but these people don’t care about you or the safety of your funds.
Interestingly, Viktor Bunin, protocol specialist at Coinbase, supported the proposal and expected more platforms to embrace the payment delay design in the future.
I strongly agree. Instant settlement is a bug, not a feature. The reality is that we want protections against bugs, hacks, attacks, mistakes, stealing, etc.
However, crypto lawyer Gabriel Shapiro disagreed with the proposal, arguing that the cost and centralization risk would outweigh the expected security benefits.
Worth noting that the settlement delay idea isn’t new. It underpins the security design for most Ethereum L2s. For example, moving funds from the Ethereum mainnet to L2s like Arbitrum takes about 7 days to help detect and exclude fraudulent transactions.
If it were to be implemented at the platform or app level, perhaps the fraudulent $18M vault payout could have been stopped. Unfortunately, it would also inconvenience other legitimate users who want instant payouts.
Final Summary
- Ostium DEX has paused all trading after an $18M exploit via oracle price manipulation.
- The community was divided on whether imposing payout delays could solve rising crypto hacks.