DeFi has a long memory. Sometimes, it bites back years later.
That’s what happened this month when old Ribbon Finance vaults now under Aevo’s umbrella — quietly lost about $2.7 million in an oracle exploit. Not from some brand-new experiment. But from smart contracts that were still alive on Ethereum, long after Ribbon rebranded to Aevo in 2023.
What Actually Went Wrong
The problem traces back to a December 6 oracle upgrade. A small change. Big consequences.
That update accidentally allowed any user to set prices for newly added assets. No special permissions. No guardrails. Just open access.
Aevo gets hacked for +2M
— MNC ® 🪄🥷 (@criptomaniac_) December 16, 2025
and decide to use the funds of dormant users (2-4 years) to repay active users. 🤔 pic.twitter.com/A1sX0MuirR
An attacker spotted the gap and moved fast.
They pushed fake expiry prices for assets like wstETH, AAVE, LINK, and WBTC into the shared oracle system at a single expiry timestamp. Once those prices were in, the vault logic did the rest exactly as coded.
The underlying Opyn protocol wasn’t affected, and neither was Aevo’s main layer-2 exchange. This was narrowly scoped to Ribbon’s legacy oracle setup. But narrow doesn’t mean harmless.
How the Exploit Unfolded
Blockchain analyst Specter was the first to flag the unusual outflows on X. From there, the trail was clear.
- Hundreds of ETH.
- A large chunk of USDC.
- Funds split across 15 different addresses.
Security researcher Liyi Zhou later published a breakdown showing how the attacker manipulated the Opyn/Ribbon oracle stack step by step. Monarch DeFi’s Anton Cheng confirmed the root cause: the December upgrade made pricing for new assets permissionless.
These vaults were once massive. At DeFi’s peak, Ribbon’s options vaults held over $300 million in TVL. That history made them an attractive target even years later.
Aevo’s Response: Stop, Decommission, Compensate
Once confirmed, Aevo shut down all Ribbon vaults immediately and announced they will be fully decommissioned.
Users won’t get 100% back. But the haircut is smaller than the raw damage.
While vaults lost roughly 32%, Aevo is proposing that withdrawals only take a 19% reduction. How? The DAO is stepping in.
The DAO is giving up about $400,000 of its own vault positions, reducing total user losses to roughly $2.3 million. That’s not perfect but it’s real money on the table.
There’s another factor too. Many of the largest vault deposits haven’t moved in two to four years. Aevo believes a chunk of those users may never withdraw, which frees up more capital for active claimants.
Who Gets Paid First
Aevo is prioritizing users who are still paying attention.
Active users get the smaller haircut upfront. The claim window runs six months, from Dec. 12 to June 12.
After that, the DAO plans to liquidate remaining assets and distribute them to users who already withdrew, covering up to the missing 19% or whatever funds remain.
One thing Aevo was clear about: there was never deposit insurance. This is DeFi. Code risk comes with the territory.
The Bigger Lesson
Oracle attacks aren’t new. And they’re not going away. Earlier this year, Venus Protocol lost $717,000 on ZKsync in a similar oracle manipulation. Same theme. Different chain.
The takeaway is simple and uncomfortable: Old contracts are still attack surfaces. Rebrands don’t kill risk. And “legacy” doesn’t mean safe.
DeFi keeps moving fast. But sometimes, the ghosts of earlier code catch up. And when they do, they don’t ask permission.
