The attacker distributed stolen funds in primarily ETH and stablecoins across 15 wallet addresses.
Aevo’s legacy Ribbon Finance smart contracts were exploited for approximately $2.7 million on Dec. 12, after an oracle infrastructure upgrade inadvertently enabled price manipulation, according to blockchain security researchers.
The attack targeted Ribbon’s DeFi Options Vaults (DOV), which are structured products that once held over $300 million in total value locked during DeFi’s peak. The vaults remained active on Ethereum despite Ribbon Finance’s 2023 rebrand and transition into derivatives exchange Aevo. The exploit did not affect Aevo’s primary Layer 2 exchange, the team said.
Blockchain analyst Specter first flagged suspicious outflows on X, identifying the exploit contract address and initial theft wallets. The attacker extracted hundreds of ETH and significant USDC holdings before distributing the proceeds to 15 separate addresses, many holding approximately 100 ETH each.
Security researcher Liyi Zhou published a detailed thread on X explaining that the attacker manipulated the Opyn/Ribbon oracle stack by abusing price-feed proxies. The exploit pushed arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared oracle at a common expiry timestamp.
Anton Cheng of Monarch DeFi noted that exploit was made possible by a Dec. 6 upgrade to the oracle code that “let anyone set prices for new assets.” Cheng confirmed that the underlying Opyn protocol was not compromised, as the vulnerability was specific to Ribbon’s oracle configuration.
Aevo will decommission all Ribbon vaults
In a statement on X, Aevo said all Ribbon vaults have been stopped and will be decommissioned immediately. While the vaults suffered approximately 32% in losses, the team proposed that withdrawals be subject to only a 19% reduction on position value at the time of the hack.
Aevo said it can offer the smaller haircut for two reasons: the DAO will forfeit its own vault positions (roughly $400,000 in various assets) to partially offset the theft, reducing net losses to $2.3 million. Second, the team said accounts with the largest deposits have gone dormant over the past two to four years and likely won’t withdraw at all.
“We’re proposing to prioritize active users by granting them a smaller reduction upfront,” the team wrote. “Given the expected dormancy rate, there’s a strong chance that users who withdraw during the claim window will ultimately be made whole after the final distribution.”
The claim window will run six months from Dec. 12 to June 12. After that date, the DAO will liquidate remaining assets and distribute them to users who previously withdrew, compensating up to the missing 19% or as much as remains available. The team noted the DAO “never promised or offered insurance on deposits.”
Oracle manipulation remains a persistent DeFi attack vector. Earlier this year, Venus Protocol on ZKsync lost $717,000 to a similar exploit, The Block previously reported.
