Aevo, the derivatives platform formerly known as Ribbon Finance, confirmed that its legacy Ribbon DeFi Options Vaults (DOV) were exploited for approximately $2.7 million following an oracle infrastructure upgrade on December 12, according to blockchain security researchers and the project’s official statement.
Exploit linked to December 6 oracle update
The exploit occurred nearly a week after a December 6 oracle code upgrade that misconfigured price feed permissions. Researchers said the change “let anyone set prices for new assets,” introducing a serious vulnerability.
The attacker used this misconfiguration to manipulate expiry prices for several assets connected to the Ribbon vaults. Key affected tokens included wstETH, AAVE, LINK, and WBTC. These expiry values were inserted at shared timestamps, allowing the attacker to drain vault assets while appearing to settle trades lawfully.
Security researcher Liyi Zhou detailed on X that the exploit manipulated the Opyn/Ribbon oracle stack through proxy contracts. The flaw did not compromise the broader Opyn protocol, which remained secure. Instead, the issue came from Ribbon’s oracle configuration used in the older contracts.
Looked a bit into this with @Zyy_0530 this morning after we woke up.
— Liyi Zhou (@lzhou1110) December 13, 2025
An attacker-controlled contract manipulated the Opyn/Ribbon oracle stack by abusing upgradeable price-feed proxies to push arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared Oracle at a… https://t.co/BjY2JNOE84
Blockchain analyst Specter first detected suspicious outflows on X, flagging the exploit contract and 15 related addresses that each received close to 100 ETH. The stolen funds were split across these wallets to hinder tracking.
Legacy Ribbon contracts remain a security risk
Ribbon Finance, launched in 2021, had built a reputation for offering structured options strategies through its DeFi Options Vaults. During DeFi’s peak, these vaults held over $300 million in total value locked.
In 2023, Ribbon rebranded into Aevo and shifted to a Layer 2 derivatives exchange model. However, several older vault contracts stayed active on Ethereum, creating a lingering risk. The Aevo team said its main exchange and core trading infrastructure remain unaffected by this incident.
In its official statement, Aevo confirmed the scope of the hack and clarified that no users on its L2 exchange were impacted. The vulnerability only affected legacy Ribbon vaults still deployed on Ethereum.
Aevo halts vaults and sets capped recovery plan
Aevo halted all Ribbon vault operations immediately after the attack. The project’s statement said,
“We regret to confirm that the legacy Ribbon DOV vaults were exploited yesterday following a vulnerability in a smart contract update, resulting in a loss of approximately $2.7M USD.”
The team said it is working with centralized exchanges and blockchain security partners to mark and track the stolen funds. Aevo also confirmed that its Immunefi bug bounty remains active should a whitehat resolution emerge.
To address user losses, Aevo proposed that affected vault depositors may withdraw their funds with a 19% reduction, despite vault-level losses estimated at 32%. The smaller reduction is possible because the Aevo DAO plans to forfeit around $400,000 of its own vault positions and expects many dormant accounts not to withdraw.
“We're proposing to prioritize active users by granting them a smaller reduction upfront,” Aevo stated. “Given the expected dormancy rate, there's a strong chance that users who withdraw during the claim window will ultimately be made whole after the final distribution.”
The platform set a six-month claim period from December 12, 2025, to June 12, 2026. Afterward, the DAO will liquidate remaining vault assets and distribute any recovered funds pro rata to prior claimants, up to the missing 19%.
Ongoing community reaction and DeFi lessons
Community members expressed dissatisfaction with the capped reimbursement plan across social media channels, questioning the fairness of a 19% recovery cap. Some users also noted limited comment access on Aevo’s official posts, with the company requesting that users submit formal support tickets instead of open replies.
The incident reinforces how legacy smart contracts and outdated oracle systems remain high-value attack surfaces in decentralized finance.
Aevo’s swift decision to permanently decommission all Ribbon vaults underscores an industry-wide shift toward retiring legacy contracts before they become active risks. The exploit highlights a consistent pattern across DeFi: even dormant infrastructure can expose valuable vulnerabilities when not fully deactivated.
Tanya Petrusenko
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
