Responsible Disclosure
If you discover a security vulnerability in Ostium’s smart contracts, please report it through Ostium’s Immunefi bug bounty program. Do not publicly disclose the vulnerability before giving the team time to investigate and remediate.Audit Summaries
Zellic
Who: Zellic is a smart contract audit firm specializing in DeFi security reviews and vulnerability research. Audits: Two engagements. An initial audit in February 2024 covering the original Ostium architecture, and a follow-up audit in November 2025 reviewing the upgraded trading contracts ahead of the Jump Liquidity Upgrade. Scope: Both engagements covered core trading, vault, and liquidation contracts: trading execution, position settlement, fee calculations, and oracle price handling. The November 2025 review focused on the contract changes underpinning the post-JLU architecture. Key Findings: No critical vulnerabilities identified in either engagement. The reviews confirmed proper implementation of collateral management, fee accrual mechanics, and liquidation logic. Recommendations from the initial audit were addressed in subsequent contract updates. Download Zellic Audit Report: November 2025 (PDF) Download Zellic Audit Report: February 2024 (PDF)ThreeSigma
Who: ThreeSigma is an independent security research firm focused on DeFi protocol audits and risk analysis. Audit Period: Conducted from February 19 to March 22, 2024. Scope: Secondary audit of trading contracts, OLP vault mechanics, rollover fee calculations, and position closure logic, complementing Zellic’s earlier review. Included static analysis and dynamic testing across all major execution paths. Key Findings: No critical or high-severity vulnerabilities. ThreeSigma confirmed correct implementation of variable fee structures, proper handling of leverage constraints, and appropriate liquidation threshold enforcement. All recommendations have been addressed or are slated for future upgrades. Download ThreeSigma Audit Report (PDF)Pashov Audit Group
Who: Pashov Audit Group operates a network of 40+ vetted security researchers with deep experience in perpetual instrument protocols and oracle-driven pricing. Audits: Three security reviews: January 2025, April 2025, and January 2026. The January 2026 review specifically covered the post-JLU architecture (new vault settlement flow, daily reconciliation between onchain and offchain books, dynamic open-interest caps) ahead of the April 2026 mainnet upgrade. Scope: The January 2025 review covered core trading and vault contracts. The April 2025 review focused on oracle integration, price verification, and updates to liquidation automation following mainnet deployment feedback. The January 2026 review covered 13 core contracts (including OstiumVault, OstiumOpenPnl, OstiumTradingCallbacks, OstiumTrading, OstiumTradingStorage, OstiumPriceRouter, OstiumPairInfos, and related libraries) with five reviewers over a one-week engagement. Key Findings: All three reviews confirmed no critical vulnerabilities. The January 2026 review identified one high-severity finding affecting share-price accounting (operation ordering in the trade-close callback causing potential PnL double-counting between settlements) which was resolved before the JLU mainnet launch, plus two medium and eight low-severity findings, with eight resolved and three formally acknowledged. Pashov verified correct implementation of oracle price feeds (Chainlink and Stork), liquidation automation via Gelato Functions, and secure handling of collateral across all three engagements.Ostium’s use of decentralized oracles and external automation services (Chainlink Automations, Gelato Functions) distributes critical functions across independent providers rather than relying on any single operator.
Mainnet Contract Addresses (Arbitrum)
All contracts below are verified on Arbiscan and can be inspected at any time to confirm code integrity:| Contract | Address | Arbiscan Link |
|---|---|---|
| ProxyAdmin | 0x083F97BabF33D4abC03151B5DEc98170761f4025 | View |
| Registry | 0x799a139aE56e11F0476aCE2f6118CfcAed9608d2 | View |
| Vault | 0x20D419a8e12C45f88fDA7c5760bb6923Cee27F98 | View |
| LockedDepositNft | 0xb4f1123BE58f5d69E1cf565ED8756C7fcf31c8D3 | View |
| TradingStorage | 0xccd5891083a8acd2074690f65d3024e7d13d66e7 | View |
| PairInfos | 0x3890243a8fc091c626ed26c087a028b46bc9d66c | View |
| PairsStorage | 0x260E349F643f12797fDc6f8c9d3df211D5577823 | View |
| Trading | 0x6D0bA1f9996DBD8885827e1b2e8f6593e7702411 | View |
| TradingCallbacks | 0x7720fC8c8680bF4a1Af99d44c6c265a74e9742a9 | View |
| OpenPnlFeed | 0xE607aC9FF58697c5978AfA1Fc1C5C437a6D1858c | View |
| TradesUpKeep | 0x959Da1452238F71F17f7DA5dbA2e9c04FEf57324 | View |
| PriceRouter | 0x4B0C3c77D398912491f192d265b237C8d4441AD7 | View |
| PriceUpKeep | 0x52B2a78E12b09B66C6c8ce291D653D40bAb77f0c | View |
| PrivatePriceUpKeep | 0xB71ec9eBD8145daCaCF6724363143cb5567A3d36 | View |
| Verifier | 0xcCF233920e8cc9415ecF503b992881d69b6c47Ad | View |
Testnet Contract Addresses (Arbitrum Sepolia)
The following contracts are deployed on Arbitrum Sepolia for development and testing:| Contract | Address | Sepolia Explorer Link |
|---|---|---|
| Registry | 0xf86cff7679BA3E99d21255d774088E25FE0ec34a | View |
| ProxyAdmin | 0xaB5583ebf187b926e48DeB9e9bb13418255c665C | View |
| TimeLockOwner | 0xbc7B65D3Aa1C38B39AC63f131D5245C51b83acbc | View |
| LockedDepositNft | 0xfFAd1f402030000C93152D38E384C202DD233445 | View |
| Vault | 0x2fbf52c8769c5da05afee7853b12775461cD04d2 | View |
| Trading | 0x2A9B9c988393f46a2537B0ff11E98c2C15a95afe | View |
| TradingStorage | 0x0b9F5243B29938668c9Cfbd7557A389EC7Ef88b8 | View |
| PairInfos | 0xEF5D3fC8A4651B32D2DAB967E1D91a67eCfa953E | View |
| PairsStorage | 0x81e252CCF6BB99202220FDc0c5788bBd9e2473D0 | View |
| TradingCallbacks | 0x83DC7c5dDeAD58f47230b70e6EF6bc44064BD814 | View |
| OpenPnlFeed | 0x27db8B73eC5cbaa17B4e7D3D3F07EBDb2eE3e154 | View |
| PriceRouter | 0x30DA14a620c9724C1Bb5d1f04049a29e2413d3aA | View |
| PriceUpKeep | 0x297775475E875025F58789dD46A9E2dcFCB0a1e1 | View |
| PrivatePriceUpKeep | 0x5d3Af2Ab23a5F38c548151F507F6dded9979B328 | View |
| Verifier | 0x52C8c22BF47657C172e5D7a7FB2C1156916BAc46 | View |
| TradesUpKeep | 0x9404A01D0546907e0bDCD0545146cB9781416E4c | View |
| MockUsdc | 0xe73B11Fb1e3eeEe8AF2a23079A4410Fe1B370548 | View |
| Gelato PairInfosManager | 0xad42c5da19b8d3f8c20847cb5a1a2deb502b5d46 | View |
Ongoing Monitoring
All Ostium smart contracts are continuously monitored for anomalies in fund flows, liquidation execution, and oracle prices. Any unexpected behavior triggers immediate investigation and, if necessary, protocol safeguards.Verifying Contract Code
All mainnet and testnet contracts are fully verified on Arbiscan and Arbitrum Sepolia Explorer. To verify a contract:- Navigate to the contract address on Arbiscan (mainnet) or Sepolia Explorer (testnet)
- Click the “Code” tab
- Compare the displayed source code against the Ostium GitHub repository
- Confirm the compiler version and optimization settings match the audit reports
FAQ
What's covered by these audits?
What's covered by these audits?
All six audits cover the core trading and vault smart contracts: position opening and closing, liquidation logic, fee accrual, oracle pricing integration, and settlement flow. The post-JLU Pashov review (January 2026) specifically covered the new vault settlement architecture. Frontend code (the Ostium web app) and offchain hedging infrastructure are not in scope. The audits focus on the smart contracts where user funds are held.
How can I verify the contracts?
How can I verify the contracts?
All contracts are verified on Arbiscan. Navigate to any contract address listed above, click “Code,” and inspect the source. You can also clone the Ostium GitHub repository and compare the code directly.
What if a vulnerability is later discovered?
What if a vulnerability is later discovered?
Ostium Labs monitors the protocol continuously and maintains relationships with top security researchers. If a vulnerability is discovered post-audit, the team will assess severity and implement a remediation plan (contract upgrade, market freeze, or emergency measures) depending on risk level.
What to Read Next
- How Ostium Works — Two-layer architecture and the four core services that run the protocol.
- Vault Overview — Onchain settlement layer and two-tranche structure underpinning trader collateral.
- Markets — All 71 trading pairs with leverage caps, fees, and trading hours.