Aevo’s legacy Ribbon DOV vaults exploited for $2.7 million following oracle upgrade

Aevo's legacy Ribbon Finance DeFi Options Vaults (DOVs) were exploited for approximately $2.7 million on December 12 due to a vulnerability introduced by a recent oracle infrastructure upgrade. The attack targeted the older Ribbon contracts, which remained active despite Ribbon's transition to the Aevo derivatives exchange, but did not affect Aevo's primary Layer 2 exchange.

The exploit involved manipulating the Opyn/Ribbon oracle stack by pushing arbitrary expiry prices for assets like wstETH and WBTC. This was made possible by a December 6 upgrade that allowed anyone to set prices for new assets. The attacker extracted significant ETH and USDC before distributing the funds across multiple addresses.

Aevo announced that all Ribbon vaults would be immediately decommissioned. While the vaults suffered about 32% in losses, the team proposed limiting user reductions to 19% of their position value. This mitigation is possible because the DAO will forfeit its own vault positions (about $400,000) and due to the expected dormancy of long-term depositors. A six-month claim window is set, after which remaining assets will be liquidated to compensate users up to the 19% missing value.

(Source：The Block)