Aevo DeFi Loses $2.7M in Oracle Manipulation Attack on Options Vault
Key Takeaways
- Decentralized derivatives exchange Aevo suffered a hack on its legacy DeFi options vault (DOV), resulting in attackers draining approximately $2.7 million in wstETH, LINK, AAVE, ETH, and USDC.
- Security analysts traced the exploit to a recent protocol upgrade that supported 18-decimal pricing for assets on the Ribbon vaults. However, this inadvertently allowed anyone to set prices for newly added tokens and manipulate options contracts.
- Approximately 32% of all assets in the Opyn/Ribbon oracle stack were lost to the hack, with the attacker converting the stolen assets to ETH and USDC before distributing them across 15 wallet addresses.
- Aevo confirmed that its Opyn platform remains unaffected and has since decommissioned the Ribbon vault. The exchange has opened a 6-month claim window, during which users can withdraw their assets, and they will be made whole by the Aevo DAO’s own positions and from funds held in larger dormant accounts.
Derivatives-focused decentralized exchange Aevo, formerly Ribbon Finance, has suffered a multi-million dollar exploit after hackers targeted its outdated smart contract system. The hack occurred six days after an Oracle upgrade that enabled price manipulation on the DEX.
Aveo specializes in options and perpetual contracts, supporting leveraged trading with up to 20x leverage on assets like Bitcoin (BTC), Ethereum (ETH), and Solana (SOL). It focuses on high-performance trading through a custom Ethereum Virtual Machine (EVM) rollup technology.
Aevo DEX Hit by $2.7M Oracle Exploit; Hackers Drain 32% of DOV Vaults
According to blockchain security experts, attackers drained approximately $2.7 million in various crypto assets from its legacy decentralized options vaults (DOVs), forcing Aevo to permanently shut all operations and instructing users to withdraw their assets hours after the attack was detected on Sunday, December 14.
The vault containing structured crypto products held over $300 million in total value locked during its peak, and remained active on Ethereum even after Ribbon Finance transitioned into Aevo in 2023. The team confirmed that its primary exchange and user funds held in standard trading accounts on the Aevo Chain – a layer-2 Ethereum rollup on the OP Stack – remain unaffected.
The attackers exploited vulnerabilities in Aevo’s recently upgraded Oracle pricing mechanism by abusing its proxy admin contract. This allowed the culprit to gain unauthorized access to control price updates on the Opyn/Ribbon oracle stack. They proceeded to create poorly structured options using legitimate whitelisted tokens such as wstETH, LINK, AAVE, PAXG, and WBTC to push arbitrary prices at a common expiry timestamp and avoid detection during the setup. They then used these options contracts to trigger false settlements across DOVs linked to the smart contract, extracting roughly 32% of the assets held in them.
Also Read: Bitcoin Price Prediction: Will the BTC Drop to $80k Amid the BOJ Rate Hike Fears?
On-chain analysts noted that the exploit was made possible by a December 6 upgrade to Aevo’s oracle code that supports 18-decimal pricing for certain digital assets, excluding USDC. This introduced a critical flaw that allowed anyone to set fake prices across any token with a shared timestamp.
The hacker used the stETH-based Tokens, collateralized with WETH, to trigger settlements on the contract by forcing the oracle to recognize fraudulent valuations. The smart contract then released approximately 900 ETH ($2.8 million) and hundreds of USDC holdings to wallets controlled by the attacker, who then distributed the assets across 15 different addresses, many of which hold approximately 100 ETH ($314,638) each.
Since the oToken creation process was conducted properly, it was passed as a credible transaction, but the lack of payout caps allowed unchecked asset withdrawal. Experts who investigated the case confirmed that while the Ribbon’s oracle upgrade was affected, it did not compromise Aevo’s Opyn contracts.
Aevo Shuts Ribbon Vaults, Opens 6-Month Claim Window, Vows Full Repayment via DAO Funds
Hours after the attack, Aevo said in an X statement that it has decommissioned all Ribbon vaults. The exchange noted that affected users will only be subject ot a 19% reduction on their position’s value at the time of the hack. This was possible because the Aevo DAO will forfeit its own vault positions, valued at roughly $400,000 in various assets, to offset the theft; thereby reducing net losses to $2.3 million, and liquidating assets from accounts with larger deposits that have been dormant for more than three years and are unlikely to withdraw any funds.
“We’re proposing to prioritize active users by granting them a smaller reduction upfront. Given the expected dormancy rate, there’s a strong chance that users who withdraw during the claim window will ultimately be made whole after the final distribution,” the team wrote.
Aevo’s claim window will run for the next six months, from December 12 to June 12, 2026. After the deadline, the DAO will liquidate all remaining assets and distribute them to users who previously withdrew, either compensating for the missing 19% or as much as remains available.
Oracle manipulation techniques remain a persistent DeFi attack vector and have become increasingly sophisticated. Oracle-related exploits account for a significant portion of the sector’s losses this year. In November alone, $137 million in various assets were lost across the DeFi space, affecting major platforms like Balancer and Yearn Finance. Earlier this year, Venus Protocol on the ZKsync blockchain lost $717,000 in a similar exploit to Aevo. According to data from DefiLlama, the DeFi sector has lost over $2.5 billion to hacks in 2025.
At the time of writing, Aevo (AEVO) is trading at $0.04102 – down 0.15% in 24 hours.
Also Read: UK Treasury Confirms FCA to Enforce New Crypto Laws Starting 2027
