Aevo Ribbon Vaults Lose $2.7M in Exploit

Catenaa, Wednesday, December 17, 2025- Aevo’s legacy Ribbon Finance smart contracts were exploited for roughly $2.7 million following an oracle infrastructure upgrade, security researchers said.

The attack targeted Ribbon’s DeFi Options Vaults (DOVs), which once held over $300 million during DeFi’s peak.

The vaults remained active on Ethereum despite Ribbon Finance’s 2023 rebrand into derivatives exchange Aevo. The primary Layer 2 exchange was not affected.

Researchers reported that the attacker manipulated the Opyn/Ribbon oracle stack by exploiting newly introduced price-feed proxies, pushing arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared oracle at a common timestamp.

The vulnerability stemmed from a Dec. 6 upgrade that allowed any user to set prices for new assets. The underlying Opyn protocol remained uncompromised.

Aevo said it will immediately decommission all Ribbon vaults. Losses totaled around 32% of vault positions, but withdrawals will incur a 19% reduction, partially offset by the DAO forfeiting $400,000 in its own positions and dormant accounts unlikely to withdraw.

The six-month claim window runs from Dec. 12 to June 12, after which remaining assets will be distributed to compensate active users as fully as possible.

Oracle manipulation continues to be a persistent threat in DeFi. Similar attacks occurred earlier this year, including a $717,000 exploit of Venus Protocol on ZKsync.