Audit Summaries
Zellic
Who: Zellic is a smart contract audit firm specializing in DeFi security reviews and vulnerability research. Audit Period: Conducted in Q3 2024 Scope: Comprehensive review of core trading, vault, and liquidation contracts including trading execution, position settlement, fee calculations, and oracle price handling. Key Findings: No critical vulnerabilities identified in the audited smart contracts. The review confirmed proper implementation of collateral management, fee accrual mechanics, and liquidation logic. Minor recommendations were addressed in subsequent contract updates. Zellic’s detailed report is available in the link below. Download Zellic Audit Report (PDF)ThreeSigma
Who: ThreeSigma is an independent security research firm focused on DeFi protocol audits and risk analysis. Audit Period: Conducted in Q4 2024 Scope: Secondary audit of trading contracts, OLP vault mechanics, rollover fee calculations, and position closure logic. The review included static analysis and dynamic testing across all major execution paths. Key Findings: No critical or high-severity vulnerabilities were identified. ThreeSigma confirmed correct implementation of variable fee structures, proper handling of leverage constraints, and appropriate liquidation threshold enforcement. All recommendations have been addressed or are slated for future upgrades. Download ThreeSigma Audit Report (PDF)Pashov (Two Reviews)
Who: Pashov is an independent auditor and researcher with expertise in perpetual instrument protocols and oracle-driven pricing mechanisms. Audit Period: First review in Q2 2024; second security review in Q3 2024 Scope: First review covered core trading and vault contracts. Second review focused on oracle integration, price verification, and updates to liquidation automation following mainnet deployment feedback. Key Findings: Both reviews confirmed no critical vulnerabilities. Pashov verified correct implementation of oracle price feeds (Chainlink and Stork), proper liquidation automation via Gelato Functions, and secure handling of collateral. Minor observations in the first review were resolved prior to mainnet deployment.Ostium’s use of decentralized oracles and external automation services (Chainlink Automations, Gelato Functions) distributes critical functions across independent providers rather than relying on any single operator.
Mainnet Contract Addresses (Arbitrum)
All contracts below are verified on Arbiscan and can be inspected at any time to confirm code integrity:| Contract | Address | Arbiscan Link |
|---|---|---|
| ProxyAdmin | 0x083F97BabF33D4abC03151B5DEc98170761f4025 | View |
| Registry | 0x799a139aE56e11F0476aCE2f6118CfcAed9608d2 | View |
| Vault | 0x20D419a8e12C45f88fDA7c5760bb6923Cee27F98 | View |
| LockedDepositNft | 0xb4f1123BE58f5d69E1cf565ED8756C7fcf31c8D3 | View |
| TradingStorage | 0xccd5891083a8acd2074690f65d3024e7d13d66e7 | View |
| PairInfos | 0x3890243a8fc091c626ed26c087a028b46bc9d66c | View |
| PairsStorage | 0x260E349F643f12797fDc6f8c9d3df211D5577823 | View |
| Trading | 0x6D0bA1f9996DBD8885827e1b2e8f6593e7702411 | View |
| TradingCallbacks | 0x7720fC8c8680bF4a1Af99d44c6c265a74e9742a9 | View |
| OpenPnlFeed | 0xE607aC9FF58697c5978AfA1Fc1C5C437a6D1858c | View |
| TradesUpKeep | 0x959Da1452238F71F17f7DA5dbA2e9c04FEf57324 | View |
| PriceRouter | 0x4B0C3c77D398912491f192d265b237C8d4441AD7 | View |
| PriceUpKeep | 0x52B2a78E12b09B66C6c8ce291D653D40bAb77f0c | View |
| PrivatePriceUpKeep | 0xB71ec9eBD8145daCaCF6724363143cb5567A3d36 | View |
| Verifier | 0xcCF233920e8cc9415ecF503b992881d69b6c47Ad | View |
Testnet Contract Addresses (Arbitrum Sepolia)
The following contracts are deployed on Arbitrum Sepolia for development and testing:| Contract | Address | Sepolia Explorer Link |
|---|---|---|
| Registry | 0xf86cff7679BA3E99d21255d774088E25FE0ec34a | View |
| ProxyAdmin | 0xaB5583ebf187b926e48DeB9e9bb13418255c665C | View |
| TimeLockOwner | 0xbc7B65D3Aa1C38B39AC63f131D5245C51b83acbc | View |
| LockedDepositNft | 0xfFAd1f402030000C93152D38E384C202DD233445 | View |
| Vault | 0x2fbf52c8769c5da05afee7853b12775461cD04d2 | View |
| Trading | 0x2A9B9c988393f46a2537B0ff11E98c2C15a95afe | View |
| TradingStorage | 0x0b9F5243B29938668c9Cfbd7557A389EC7Ef88b8 | View |
| PairInfos | 0xEF5D3fC8A4651B32D2DAB967E1D91a67eCfa953E | View |
| PairsStorage | 0x81e252CCF6BB99202220FDc0c5788bBd9e2473D0 | View |
| TradingCallbacks | 0x83DC7c5dDeAD58f47230b70e6EF6bc44064BD814 | View |
| OpenPnlFeed | 0x27db8B73eC5cbaa17B4e7D3D3F07EBDb2eE3e154 | View |
| PriceRouter | 0x30DA14a620c9724C1Bb5d1f04049a29e2413d3aA | View |
| PriceUpKeep | 0x297775475E875025F58789dD46A9E2dcFCB0a1e1 | View |
| PrivatePriceUpKeep | 0x5d3Af2Ab23a5F38c548151F507F6dded9979B328 | View |
| Verifier | 0x52C8c22BF47657C172e5D7a7FB2C1156916BAc46 | View |
| TradesUpKeep | 0x9404A01D0546907e0bDCD0545146cB9781416E4c | View |
| MockUsdc | 0xe73B11Fb1e3eeEe8AF2a23079A4410Fe1B370548 | View |
| Gelato PairInfosManager | 0xad42c5da19b8d3f8c20847cb5a1a2deb502b5d46 | View |
Security Practices
Ongoing Monitoring
All Ostium smart contracts are continuously monitored for anomalies in fund flows, liquidation execution, and oracle prices. Any unexpected behavior triggers immediate investigation and, if necessary, protocol safeguards.Responsible Disclosure
If you discover a security vulnerability in Ostium’s smart contracts, please report it responsibly to security@ostium.io. Do not publicly disclose the vulnerability before giving the team time to investigate and remediate.Verifying Contract Code
All mainnet and testnet contracts are fully verified on Arbiscan and Arbitrum Sepolia Explorer. To verify a contract:- Navigate to the contract address on Arbiscan (mainnet) or Sepolia Explorer (testnet)
- Click the “Code” tab
- Compare the displayed source code against the Ostium GitHub repository
- Confirm the compiler version and optimization settings match the audit reports
FAQ
Have there been any critical vulnerabilities?
Have there been any critical vulnerabilities?
No. All three audit firms (Zellic, ThreeSigma, Pashov) confirmed no critical vulnerabilities in production code. Minor observations have been addressed or are planned for future upgrades. The protocol has been operating on mainnet without critical incidents.
How can I verify the contracts?
How can I verify the contracts?
All contracts are verified on Arbiscan. Navigate to any contract address listed above, click “Code,” and inspect the source. You can also clone the Ostium GitHub repository and compare the code directly.
What if a vulnerability is later discovered?
What if a vulnerability is later discovered?
Ostium Labs monitors the protocol continuously and maintains relationships with top security researchers. If a vulnerability is discovered post-audit, the team will assess severity and implement a remediation plan (contract upgrade, market freeze, or emergency measures) depending on risk level.
What to Read Next
- How Ostium Works — Two-layer architecture and the four core services that run the protocol.
- Vault Overview — Onchain settlement layer and two-tranche structure underpinning trader collateral.
- Markets — All 60 trading pairs with leverage caps, fees, and trading hours.