Decentralized trading platforms Ostium and Cascade disclosed separate exploits this week, highlighting what one security researcher says is a broader shift by hackers to vulnerabilities beyond the usual bugs in smart contracts.
Back-to-Back DeFi Exploits Show Hackers Also Targeting Infrastructure, Not Just Bugs
On 16 Jul, derivatives platform Cascade said it lost about $1.34mn after attackers exploited one of its trading vaults. A day earlier, Arbitrum-based perpetual futures platform Ostium revealed a security incident affecting its public OLP liquidity vault, a hack that resulted in an estimated loss of $22mn-$24mn.
Marcin Kazmierczak, co-founder of oracle provider RedStone, told Sandmark the two exploits fit a broader pattern of attackers targeting the infrastructure decentralized finance (DeFi) protocols rely on rather than the smart contracts themselves.
"Neither was a classic contract bug like reentrancy," Kazmierczak said. "Both were failures of the trust and privilege layer around the contracts."
Kazmierczak pointed to two other recent attacks: the $9mn Bonzo Lend exploit, which he said stemmed from a flaw in oracle verification, and the $6mn Summer.fi exploit involving a keeper.
"Four incidents, one pattern: attackers are going after the infrastructure protocols depend on, not just the code they deploy," he said.
Fewer but more catastrophic
Kazmierczak cited data from TRM Labs showing that while smart contract exploits hit a record 125 incidents in the first half of 2026, they accounted for just 17% of the $972mn stolen. By contrast, infrastructure and key compromises made up about 15% of incidents but around 76% of total losses.
"Contract bugs are becoming more frequent but smaller, while infrastructure failures produce the catastrophic outcomes," he said.
Evading the audit
Kazmierczakhe said key management has become DeFi's biggest security challenge because audits focus on smart contract code rather than outside the code.
"This is why we expect risk ratings to become standard infrastructure in DeFi," he said. "A code audit tells you the contracts are sound at one point in time. It says nothing about who holds the signer keys, how upgrades are controlled or how an asset is operationally set up."
Ostium's exploit
Ostium said the incident occurred between 14:18UTC and 14:23UTC on 15 Jul. The protocol identified the issue within minutes and paused trading contracts within the hour.
"We are working closely with relevant law enforcement authorities, SEAL 911, and third-party cybersecurity experts," co-founder Kaledora wrote in a post on X.
The protocol has not yet explained how the exploit happened, though several security firms have released early assessments.
CertiK estimated the exploit at about $22mn, saying an attacker compromised an oracle key, submitted false price data and used 100x leveraged trades to drain the OLP vault. The OLP (Ostium Liquidity Provider) vault holds the funds used to support trading on Ostium.
Meanwhile, PeckShield said the loss stood at about $24mn. The firm explained that the attacker swapped the stolen USDC for about 12,086 ETH before depositing 10,540 ETH into Tornado Cash, a privacy mixer.
It added that the attack wallet was initially funded with 1 ETH each from crypto exchanges ChangeNOW and Bybit.
In an update posted on 16 Jul, Ostium said trading remains paused, while user positions remain open but cannot be modified.
Cascade loses $1.34mn
On 16 Jul, Cascade revealed a $1.34mn exploit affecting its CLS vault, the pool of user funds that provides liquidity for trading on the platform.
According to the company, attackers built long positions while the CLS vault held matching short positions. They then pushed the market's mark price – the reference price used to determine when positions are liquidated – higher, which led to liquidations against the vault.
"Since the attackers held the other side of the trade, the attackers' positions were ADL-ed and closed at the high mark price," Cascade's X post reads.
Cascade said the company has since paused trading and withdrawals while it investigates the incident.