TL;DR
- Three legacy DeFi projects — Ribbon Finance, Rari Capital, and iEarn Finance — were hacked for approximately $5 million in a single week in December 2025
- All three targeted contracts were from the 2020-2022 DeFi cycle: abandoned, immutable, or no longer maintained
- Security researchers suspect AI-assisted targeting of legacy contracts that lack active monitoring
- Ribbon Finance lost $2.7 million to an oracle manipulation attack on legacy DOV vaults
- An Anthropic study found AI agents autonomously discovered two novel zero-day vulnerabilities in smart contracts
A cluster of three hacks targeting abandoned DeFi protocols in December 2025 has raised alarms among security researchers who believe artificial intelligence may be supercharging the discovery and exploitation of legacy smart contract vulnerabilities. The attacks, which collectively drained approximately $5 million, shared a common thread: all three targeted contracts had been deployed years ago and were no longer actively maintained.
Ribbon Finance Loses $2.7 Million in Oracle Manipulation
Aevo, the successor protocol to Ribbon Finance, confirmed that an oracle manipulation hack on legacy Ribbon DOV vaults resulted in a $2.7 million loss. The affected vaults were remnants from Ribbon’s options trading era before the project rebranded and pivoted to Aevo. Current Aevo users were not impacted.
The incident took a controversial turn when the Ribbon team initially announced a reimbursement plan using $400,000 of its own funds supplemented by assets from dormant user accounts. After community backlash, the team reversed course, and affected users were informed they would absorb a full 100% loss on their deposits.
Rari Capital Hijacked for $2 Million
On December 10, a hacker exploited Rari Capital’s defunct implementation contract, borrowing assets without posting any collateral. The $2 million theft went undetected for an entire week before being flagged by security monitors.
Rari Capital had ceased operations following earlier hacks in 2021 for $15 million and 2022 for $80 million. The project settled with the SEC in September 2024 over charges of misleading investors and engaging in unregistered broker activity. Despite being defunct, approximately $2.7 million in user funds remained locked in Rari contracts, according to DeFiLlama data.
Five-Year-Old iEarn Contract Drained for $250,000
A five-year-old iEarn Finance contract — the precursor to Yearn Finance — was attacked for approximately $250,000. Yearn developer Banteg described how a misconfigured adapter caused a cascading failure across multiple DeFi protocols. The hack exploited the same vulnerability that had been used in a 2023 attack that cost $11 million.
Yearn itself confirmed the issue was exclusive to the immutable iEarn TUSD contract, deployed over 2,100 days prior, and did not impact current Yearn vaults or contracts.
The AI Connection
Security researcher storm0x, a former Yearn developer, raised the possibility that someone is specifically targeting legacy contracts using new AI tools and large language models. Another analyst echoed this concern, warning that the barrier to building, testing, and executing exploit strategies against smart contracts has never been lower.
These suspicions are grounded in emerging evidence. A study from Anthropic pitted AI agents against a library of 405 smart contracts exploited between 2020 and 2025. The AI models autonomously achieved $4.5 million worth of exploits on contracts deployed after their knowledge cutoff and uncovered two novel zero-day vulnerabilities in a pool of 2,849 contracts with no known vulnerabilities.
At the time of these incidents, Bitcoin was trading at approximately $90,400 and Ethereum at $3,061, with the broader crypto market showing moderate stability following a volatile November.
Why This Matters
The December spree against legacy DeFi protocols exposes a growing blind spot in the ecosystem. Billions of dollars remain locked in immutable smart contracts that were deployed during the 2020-2022 DeFi boom. Many of these contracts have no active development teams, no monitoring, and no upgrade paths. They are sitting ducks.
The potential for AI to accelerate vulnerability discovery in these abandoned contracts represents a paradigm shift in crypto security. Previously, finding and exploiting a novel vulnerability required specialized expertise and significant manual effort. AI tools lower that barrier dramatically, enabling attackers to scan thousands of contracts for weaknesses at machine speed.
For users, the advice from researchers is straightforward: withdraw funds from any 2021-era contracts that are deprecated, sunsetted, or abandoned. The era of assuming old contracts are safe simply because they have not been exploited yet may be coming to an end.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making financial decisions.
DeFi yields are finally sustainable without token emissions
DeFi insurance protocols are maturing — that’s a bullish sign
Permissionless lending is still the most powerful use case in crypto
Liquid staking derivatives are the backbone of modern DeFi
ribbon initially offering 400K reimbursement from dormant accounts was wild. community pushed back hard and affected users got 100% loss instead. brutal outcome
AI agents autonomously discovering zero-days in smart contracts is the part nobody is talking about enough. the offensive AI capability is growing faster than defensive tooling