What Happened in the Aevo and Ribbon DOV Vault Exploit?

Aevo confirmed that its legacy Ribbon Finance DeFi Options Vaults were exploited for approximately $2.7 million following an oracle infrastructure upgrade. The incident highlights how even dormant or legacy smart contracts can remain a critical attack surface in DeFi.

The exploit occurred on December 12, several days after a December 6 oracle code update. While Ribbon Finance rebranded into Aevo in 2023, the older Ribbon DOV smart contracts were still active on Ethereum. These contracts became vulnerable due to a misconfigured oracle upgrade that allowed price manipulation.

Importantly, Aevo stated that its primary Layer 2 derivatives exchange was not affected. The issue was isolated to the legacy Ribbon vaults, which once held more than $300 million in total value locked during DeFi’s peak.

Key Takeaways

• Legacy Ribbon DOV vaults were exploited for approximately $2.7 million
• The root cause was a flawed oracle upgrade deployed on December 6
• Attackers were able to arbitrarily set asset prices at expiry
• Aevo will permanently decommission all Ribbon vaults
• Oracle manipulation remains one of DeFi’s most persistent risks

Background on Ribbon Finance and Aevo

From Ribbon Finance to Aevo

Ribbon Finance was one of the early DeFi structured product protocols, offering automated options strategies through DeFi Options Vaults. At its peak, Ribbon managed hundreds of millions in user deposits.

In 2023, Ribbon rebranded into Aevo and pivoted toward a Layer 2 derivatives exchange. Despite this transition, several legacy Ribbon vaults remained deployed and accessible on Ethereum.

These vaults continued operating with limited activity, creating a situation where outdated infrastructure coexisted alongside a modernized core platform.

Why Legacy Contracts Matter

Legacy smart contracts are often overlooked once a protocol pivots. However, as this incident shows, any contract holding assets remains a viable target regardless of user activity levels.

Attackers tend to monitor dormant systems closely, especially when upgrades or changes occur.

Read Also: 8 Potential Crypto Narratives Ahead of the End of 2025

How the Aevo Ribbon DOV Exploit Happened

The Oracle Upgrade That Introduced Risk

According to security researchers, the vulnerability was introduced during a December 6 oracle code upgrade. The change inadvertently allowed any user to set prices for newly added assets in the oracle system.

This meant that expiry prices for certain assets were no longer securely controlled by trusted price feeds.

Oracle Manipulation Mechanics

The attacker exploited the Opyn and Ribbon oracle stack by abusing price feed proxies. They injected arbitrary expiry prices for several assets at a shared expiration timestamp.

Assets affected included:

• wstETH
• AAVE
• LINK
• WBTC

By manipulating expiry prices, the attacker could extract value from the vaults in a way that appeared valid under the flawed oracle logic.

Scope of the Attack

Blockchain analysts observed that the attacker drained hundreds of ETH and significant stablecoin balances. The stolen funds were distributed across 15 wallet addresses, many holding approximately 100 ETH each.

The use of multiple wallets suggests an attempt to reduce traceability and complicate recovery efforts.

What Was Not Compromised

Opyn Protocol Remained Secure

Security researchers confirmed that the underlying Opyn protocol was not compromised. The vulnerability was specific to Ribbon’s oracle configuration rather than the broader options infrastructure.

This distinction is important, as it narrows responsibility to implementation choices rather than systemic protocol flaws.

Aevo’s Core Exchange Was Unaffected

Aevo emphasized that its Layer 2 derivatives exchange and active products were not impacted by the exploit. User funds on the primary Aevo platform remain secure.

This separation helped contain reputational damage and limited systemic risk.

Aevo’s Response and Mitigation Plan

Immediate Decommissioning of Ribbon Vaults

Aevo announced that all Ribbon DOV vaults have been halted and will be fully decommissioned. No further interaction with these contracts will be possible.

This marks a definitive end to Ribbon’s legacy infrastructure.

Proposed Loss Allocation

Although the vaults suffered approximately 32% losses, Aevo proposed limiting user withdrawals to a 19% haircut.

This is made possible by:

• The DAO forfeiting approximately $400,000 of its own vault positions
• An expectation that many large, dormant accounts will not withdraw

Aevo believes this approach prioritizes active users while preserving the possibility of full recovery over time.

Claim Window and User Compensation

Withdrawal Timeline

Aevo established a six month claim window running from December 12 to June 12. During this period, users can withdraw their remaining vault balances with the proposed reduction.

After the claim window closes:

• Remaining assets will be liquidated by the DAO
• Proceeds will be distributed to prior claimants
• Users may be compensated up to the missing 19%, depending on available funds

Aevo noted that the DAO never offered insurance guarantees on vault deposits.

Why Oracle Attacks Remain a Major DeFi Risk

A Recurrent Attack Vector

Oracle manipulation continues to be one of the most common DeFi exploits. Similar incidents have occurred across lending, derivatives, and yield protocols.

Earlier in 2025, Venus Protocol on ZKsync lost $717,000 due to a comparable oracle vulnerability.

Why Oracles Are Hard to Secure

Oracles sit at the boundary between on chain logic and off chain data. Any misconfiguration can create an opening for attackers to inject false information that smart contracts trust blindly.

Upgrades are particularly risky because:

• New assets may lack proper access controls
• Edge cases may not be fully tested
• Legacy assumptions may break silently

Lessons for DeFi Users and Builders

For Users

DeFi users should recognize that:

• Legacy contracts can carry hidden risk
• Inactive vaults are not inherently safer
• Oracle design matters as much as smart contract code

Diversification and awareness of protocol upgrades are essential.

For Protocol Teams

Builders can take several lessons from this incident:

• Decommission unused contracts aggressively
• Apply strict access controls to oracle updates
• Audit upgrade paths, not just core logic
• Treat legacy systems as live risk surfaces

Security does not end with a rebrand or pivot.

Final Thoughts

The Aevo Ribbon DOV exploit is a reminder that DeFi risk often hides in the margins. While innovation moves forward, legacy infrastructure can become an unexpected liability when left active.

Oracle systems remain one of the most fragile components of DeFi architecture. Even small configuration changes can cascade into multi million dollar losses if not carefully controlled.

For Aevo, decisive action to decommission the vaults and partially compensate users may limit long term fallout. For the broader DeFi ecosystem, this incident reinforces a hard truth: security debt compounds quietly, until it does not.

Read Also: Yearn Finance Exploit: Here is What You Need to Know

FAQs

What caused the Aevo Ribbon DOV vault exploit?

The exploit was caused by a flawed oracle upgrade that allowed any user to set prices for newly added assets.

How much was lost in the exploit?

Approximately $2.7 million was drained from the legacy Ribbon DOV vaults.

Was Aevo’s main exchange affected?

No. Aevo confirmed that its Layer 2 derivatives exchange was not impacted.

Will users be compensated?

Aevo proposed limiting withdrawals to a 19% haircut, with a chance of full recovery depending on remaining assets and dormant accounts.

Why are oracle attacks common in DeFi?

Oracle systems bridge off chain data and on chain logic. Misconfigurations or upgrade errors can allow attackers to manipulate trusted price inputs.