Aevo Legacy Ribbon Vaults Exploited for $2.7 Million After Oracle Upgrade Mishap

Aevo, the derivatives exchange that emerged from Ribbon Finance’s 2023 rebrand, is dealing with the aftermath of a $2.7 million exploit that hit its legacy DeFi Options Vaults earlier this month. The incident highlights how older smart contracts can remain exposed long after a protocol’s core focus has shifted.

The exploit occurred on Dec. 12 and targeted Ribbon’s DeFi Options Vaults, or DOVs, which once held more than $300 million in total value locked during the height of decentralized finance. Although Ribbon transitioned into Aevo last year, the vaults continued to operate on Ethereum using legacy infrastructure. Aevo said the breach did not affect its main Layer 2 trading platform.

Blockchain analyst Specter was among the first to spot unusual activity, flagging large outflows from the vaults on X. According to on-chain data, the attacker drained hundreds of ether along with sizable amounts of USDC. The funds were then split across 15 different wallets, many holding roughly 100 ETH each, a pattern often used to reduce traceability.

Further analysis by security researcher Liyi Zhou pointed to oracle manipulation as the root cause. In a detailed public thread, Zhou explained that the attacker abused price-feed proxies in the shared Opyn and Ribbon oracle stack. By doing so, they were able to inject arbitrary expiry prices for several assets, including wstETH, AAVE, LINK, and WBTC, all at the same expiry timestamp.

The vulnerability was linked to a Dec. 6 upgrade to the oracle infrastructure. Anton Cheng, a contributor at Monarch DeFi, said the update unintentionally allowed anyone to set prices for newly added assets. While the flaw enabled the exploit, Cheng emphasized that the Opyn protocol itself was not compromised. The issue was specific to how Ribbon’s oracle configuration handled the upgrade.

In response, Aevo announced that all Ribbon vaults have been halted and will be fully decommissioned. The team estimated that the vaults suffered losses of around 32 percent overall. However, Aevo proposed a smaller, 19 percent reduction for user withdrawals based on the value of positions at the time of the hack.

Aevo said it could offer this reduced haircut for two main reasons. First, the protocol’s DAO plans to forfeit its own vault positions, worth roughly $400,000 across several assets, to help offset the losses. This would bring the net shortfall down to about $2.3 million. Second, the team noted that some of the largest vault deposits have been inactive for two to four years and may never be withdrawn.

“We’re proposing to prioritize active users by granting them a smaller reduction upfront,” the team wrote in a statement.

Aevo added that, given the expected level of dormant accounts, users who withdraw during the claims period could ultimately be made whole once remaining assets are redistributed.

The claims window will remain open for six months, running from Dec. 12 through June 12. After that, the DAO plans to liquidate any remaining assets and distribute them to users who already withdrew, potentially covering the remaining 19 percent shortfall, depending on available funds. Aevo also noted that the DAO never offered insurance on vault deposits.

The incident is the latest reminder that oracle manipulation remains a persistent risk in DeFi. Similar attacks have surfaced across the ecosystem, including a $717,000 exploit that hit Venus Protocol on ZKsync earlier this year.

As Aevo moves to fully shut down its legacy vaults, the episode underscores the importance of carefully managing upgrades and decommissioning older contracts. For users, it also highlights the need to stay aware of how protocol changes can affect long-standing positions.