Aevo Shuts Ribbon Vaults After $2.7 Million Oracle Manipulation Exploit

TLDR

• Legacy Ribbon DOV vaults were drained of about $2.7 million on December 12.

• A December 6 oracle upgrade allowed users to set prices for new assets.

• The exploit affected Ethereum vaults but not Aevo’s Layer 2 exchange.

• Aevo plans to decommission all Ribbon vaults and open a six month claim window.

Aevo confirmed that its legacy Ribbon Finance vaults lost about $2.7 million after a smart contract flaw. The issue followed an oracle upgrade that enabled price manipulation and targeted inactive DeFi options products.

The news is presented from the angle of an oracle upgrade vulnerability affecting dormant legacy DeFi infrastructure rather than active exchange operations.

Aevo Exploit linked to oracle upgrade

Security researchers reported that the exploit occurred on December 12, several days after an oracle upgrade. The upgrade was deployed on December 6 and affected price feeds for newly added assets.

Analysts said the change allowed any user to submit prices through proxy contracts. This allowed false expiry prices to be pushed into the shared oracle system. Assets involved included wstETH, AAVE, LINK, and WBTC.

Blockchain analyst Specter identified unusual outflows from Ribbon vault contracts. The funds were moved quickly after extraction. Most of the stolen value was held in ETH and USDC.

Another researcher, Liyi Zhou, explained the attack path in a public thread. Zhou wrote that a shared expiry timestamp was abused across multiple assets. This enabled coordinated price manipulation within the vault logic.

Scope of losses and fund movement

The total loss was estimated at about $2.7 million based on onchain data. Hundreds of ETH were removed alongside stablecoin balances. The attacker then spread funds across fifteen wallet addresses.

Several of those addresses received close to 100 ETH each. Researchers said this pattern suggested an attempt to reduce tracking risks. Centralized exchanges were alerted to monitor related wallets.

Anton Cheng of Monarch DeFi said the flaw was limited to Ribbon’s oracle setup. He stated that Opyn’s core protocol was not compromised. The weakness came from how Ribbon configured the upgrade.

Aevo also confirmed that its Layer 2 derivatives exchange was unaffected. Trading, deposits, and withdrawals on the exchange continued without interruption.

Response from Aevo and vault shutdown

Aevo announced that all Ribbon vaults were stopped following the incident. The team said the vaults would be fully decommissioned. No new activity will be allowed.

In a public statement, Aevo said,

The company proposed a plan for remaining vault users. Withdrawals would face a 19% reduction instead of the full 32% loss. Aevo said this approach favors active participants.

The DAO also said it would forfeit about $400,000 of its own vault positions. This step reduces the net loss to about $2.3 million. Aevo noted that no insurance was promised.

Claim process and next steps

Aevo set a six month claim window running from December 12 to June 12. Users can withdraw during this period under the proposed terms.

After the deadline, remaining assets will be liquidated by the DAO. Proceeds will be distributed to prior claimants. Payments may cover part or all of the remaining shortfall.

Aevo said many large accounts have been inactive for years. The team expects some deposits will remain unclaimed. These funds may help offset losses for active users.

A full post mortem is expected to be released. Aevo said it remains open to a whitehat resolution through its bounty program.