Share
Aevo disclosed on Sunday, December 14, that an attacker drained approximately $2.7 million from its legacy Ribbon Finance Delta-One Vaults (DOVs) by exploiting a vulnerability introduced during a Chainlink oracle upgrade on December 12, marking the second major incident for the DeFi options platform in 2025.
We have an update on the legacy Ribbon DOVs exploit, specifically the next steps we're proposing for impacted vault depositors.
If you have an active Ribbon vault position, please read carefully, as action will be required on your side.
All Ribbon vaults have been stopped and…
— Aevo (fka Ribbon Finance) (@ribbonfinance) December 14, 2025
The breach had targeted outdated Ribbon vaults inherited when it merged with Aevo in 2023, allowing the exploiter to manipulate price feeds and withdraw funds from ETH and BTC vaults. Aevo confirmed the loss was contained to legacy products with under $3 million TVL, stressing that its current V2 vaults and main options platform remain unaffected.
In a statement confirming and responding to the attack, Aevo announced it will immediately decommission all legacy Ribbon vaults following the exploit. While gross losses reached 32%, the team proposed limiting withdrawals to a 19% reduction on position value at the time of the attack.
The smaller haircut is possible for two reasons:
“We’re prioritizing active users with a reduced haircut upfront,” the team stated on X. “Given expected dormancy, those who withdraw during the claim window have a strong chance of being made whole after final distribution.” The six-month window runs from December 12 to June 12, 2026; any unclaimed assets will then be liquidated and distributed to earlier claimants to cover as much of the 19% gap as possible. Aevo noted the DAO “never promised or offered insurance on deposits.”
On-chain monitor Specter first raised the alarm on X, pinpointing the exploit contract and the attacker’s initial wallets as suspicious ETH and USDC outflows began. The attacker drained hundreds of ETH and large USDC positions before splitting proceeds across 15 addresses, most holding roughly 100 ETH each.
The old contract of @ribbonfinance has been drained for a total of $2.7M.
Exploit contract: 0x3c212A044760DE5a529B3Ba59363ddeCcc2210bE
Theft addresses:
0x354ad0816de79E72452C14001F564e5fDf9a355e
0x2Cfea8EfAb822778E4e109E8f9BCdc3e9E22CCC9… pic.twitter.com/sXKDYoL4RS— Specter (@SpecterAnalyst) December 12, 2025
Security researcher Liyi Zhou detailed the workings of the attack in a subsequent X thread. The thread walked readers through how the attacker abused Ribbon’s shared oracle by pushing manipulated expiry prices for wstETH, AAVE, LINK, and WBTC through vulnerable price-feed proxies at a common timestamp.
Looked a bit into this with @Zyy_0530 this morning after we woke up.
An attacker-controlled contract manipulated the Opyn/Ribbon oracle stack by abusing upgradeable price-feed proxies to push arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared Oracle at a… https://t.co/BjY2JNOE84
— Liyi Zhou (@lzhou1110) December 13, 2025
Monarch DeFi’s Anton Cheng clarified that a December 6 oracle upgrade had inadvertently allowed anyone to set prices for new assets, creating the entry point. He also stressed that Opyn’s core protocol remained secure, the flaw was isolated to Ribbon’s configuration.
Oracle manipulation remains a recurring DeFi risk vector, as seen in Venus Protocol’s $717,000 loss on ZKsync earlier this year. It remains to be seen what measures will be put in place to stem this tide before more losses are accrued.
Share
