The vulnerability was specific to Ribbon's oracle configuration and did not affect the underlying Opyn protocol or Aevo's primary layer-2 exchange.
Crypt News
Legacy DeFi options vaults from Ribbon Finance were drained of approximately $2.7 million on Dec. 12. The attack targeted smart contracts that remained active on Ethereum despite Ribbon's 2023 rebrand to Aevo.
Security analysts traced the exploit to a Dec. 6 oracle upgrade that inadvertently allowed any user to set prices for newly added assets. The vulnerability was specific to Ribbon's oracle configuration and did not affect the underlying Opyn protocol or Aevo's primary layer-2 exchange.
Blockchain analyst Specter first identified suspicious outflows on X, flagging the exploit contract address and initial theft wallets. The attacker extracted hundreds of ETH and significant USDC holdings before distributing proceeds to 15 separate addresses.
Security researcher Liyi Zhou published a detailed analysis explaining how the attacker manipulated the Opyn/Ribbon oracle stack. The exploit pushed arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared oracle at a common expiry timestamp.
Anton Cheng of Monarch DeFi confirmed that the Dec. 6 upgrade let anyone set prices for new assets. The targeted DeFi Options Vaults once held over $300 million in total value locked during DeFi's peak period.
Aevo announced that all Ribbon vaults have been stopped and will be decommissioned immediately. The team proposed that withdrawals be subject to only a 19% reduction on position value at the time of the hack, despite vaults suffering approximately 32% in losses.
The smaller haircut is possible because the DAO will forfeit its own vault positions worth roughly $400,000 to partially offset the theft. This reduces net losses to $2.3 million. Additionally, accounts with the largest deposits have gone dormant over the past two to four years and likely will not withdraw.
Aevo is prioritizing active users by granting them a smaller reduction upfront. The claim window will run six months from Dec. 12 to June 12. After that date, the DAO will liquidate remaining assets and distribute them to users who previously withdrew, compensating up to the missing 19% or as much as remains available.
The team noted the DAO never promised or offered insurance on deposits. Oracle manipulation remains a persistent DeFi attack vector, with Venus Protocol on ZKsync losing $717,000 in a similar exploit earlier this year.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
