Oracle misconfiguration enabled price manipulation across dormant DeFi options vaults
Legacy DeFi Options Vaults (DOVs) originally launched by Ribbon Finance and later absorbed into Aevo were exploited on Dec. 12, resulting in losses of approximately $2.7 million. The affected vaults remained live on Ethereum despite Ribbons 2023 rebrand to Aevo, even as user activity had significantly declined from peak levels.
Security researchers traced the exploit to a Dec. 6 oracle infrastructure upgrade. The update unintentionally allowed any user to set prices for newly added assets, opening the door to manipulation.
Attackers injected arbitrary expiry prices for assets including wstETH, AAVE, LINK, and WBTC, enabling them to drain funds from the vaults.
The exploit did not impact Aevo’s main Layer 2 derivatives exchange, as the vulnerability was isolated to the legacy oracle configuration tied to the Ribbon vaults.
Stolen Funds and Distribution
The attacker extracted funds primarily in ETH and stablecoins, later dispersing them across 15 wallet addresses, many holding around 100 ETH each. Analysts confirmed the underlying options protocol remained intact.
Aevo announced that all Ribbon vaults have been halted and permanently decommissioned. While vaults suffered roughly 32% losses, active users will face only a 19% withdrawal reduction.
The shortfall is partially covered by the DAO forfeiting $400,000 of its own positions and expected inactivity from long-dormant accounts.
Oracle manipulation remains a critical risk in DeFi, reinforcing the need for stricter upgrade controls and legacy contract management.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.