Decentralized exchange Aevo, formerly known as Ribbon Finance, has confirmed a $2.7 million exploit targeting its legacy Decentralized Options Vaults (DOV) on Ethereum. The incident, which came to light on December 14, 2025, highlights the persistent risks lurking in dormant DeFi infrastructure — and the dangers of upgrading oracles without fully auditing downstream dependencies.
The Exploit Mechanics
The attack vector originated from a December 6 oracle upgrade that modified how price feeds handled newly added assets. According to security researchers, the update introduced a critical flaw: it allowed any user to set prices for certain assets within the vault system. This meant an attacker could artificially inflate or deflate the price of a vault asset, then execute withdrawals at manipulated valuations.
The exploit was first flagged by on-chain researcher @SpecterAnalyst on X (formerly Twitter), who identified a suspicious contract interacting with Ribbon vaults. Subsequent analysis from multiple security firms, including Halborn, confirmed that the root cause was an oracle misconfiguration rather than a traditional smart contract reentrancy or overflow bug.
The attacker exploited the pricing discrepancy across multiple vault positions, systematically draining approximately $2.7 million in pooled assets. The funds were extracted in a series of transactions, each calibrated to maximize extraction before the vault balances could be reconciled against real market prices.
Affected Systems
The exploit was confined to Aevo’s legacy Ribbon DOV vaults on Ethereum. Critically, Aevo’s Layer 2 exchange — the platform’s primary trading venue — was not affected. The company emphasized that the vulnerability existed only in the older, largely inactive vault products that had been inherited from the Ribbon Finance rebrand.
The affected vaults included options products tied to several major crypto assets. Users who had deposited funds into these vaults for yield generation found their positions significantly depleted. Aevo moved quickly to disable all remaining Ribbon vaults, preventing further exploitation while the team assessed the full scope of the damage.
At the time of the exploit, Bitcoin was trading at approximately $88,175 and Ethereum at $3,060, according to CoinMarketCap historical data. The broader market was in a slight downturn, with most major assets posting single-digit weekly losses — a backdrop that may have initially masked the unusual vault activity.
The Mitigation Strategy
Aevo’s response was swift but controversial. The platform disabled all legacy Ribbon vaults and announced plans to fully decommission the product line. A six-month claim window was opened for affected users to recover whatever remaining assets could be salvaged from the vaults.
However, the recovery plan drew immediate community backlash. The Aevo DAO proposed liquidating the remaining vault assets to compensate users — but only up to 19% of the lost amount, or the remaining balance, whichever was lower. For users who lost tens of thousands of dollars, a 19% recovery rate was seen as woefully inadequate.
The DAO defended the plan by noting that the remaining vault assets were insufficient to cover the full $2.7 million loss. The protocol treasury was not obligated, under existing governance frameworks, to make users whole from exploits affecting legacy products.
Lessons Learned
The Aevo incident serves as a stark reminder that legacy DeFi products carry outsized risk. Protocols that undergo major rebrands or migrations — as Ribbon Finance did when it became Aevo — often leave behind infrastructure that receives diminishing attention from development teams. Oracle upgrades, even minor ones, can introduce cascading vulnerabilities in systems that were not designed with the new configurations in mind.
For the broader DeFi ecosystem, the exploit reinforces several critical security principles. First, any oracle modification — no matter how routine — requires comprehensive testing against all dependent contracts, including legacy products. Second, protocols must maintain explicit sunset policies for deprecated products, including regular audits of dormant infrastructure. Third, the incident underscores the importance of real-time monitoring tools that can detect anomalous withdrawal patterns before losses compound.
User Action Required
If you held funds in Aevo’s Ribbon DOV vaults, you should immediately check the Aevo governance forum for updates on the claim process. The six-month window is time-limited, and delays could result in forfeiting even the partial recovery. Additionally, review any other legacy vault positions you may hold across DeFi platforms — products that have been superseded by newer versions are prime targets for similar exploits. Consider withdrawing from any inactive or deprecated yield products, and prioritize protocols with active bug bounty programs and regular security audits.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
Oracle upgrade on Dec 6, exploit detected Dec 14. 8 days of vulnerable dormant vaults sitting there. the real lesson is kill your legacy contracts
any user could set prices for certain assets after the upgrade. thats not a misconfiguration, thats a catastrophic failure of access control
Ribbon rebranded to Aevo, moved to L2, and just… left the old vaults running. $2.7M gone because nobody decommissioned the old stuff
wstETH, AAVE, LINK, WBTC all vulnerable. basically every major DeFi asset was exposed because of one proxy contract update