Legacy DeFi options vaults created by Ribbon Finance and later absorbed by Aevo were exploited for around $2.7 million on December 12.
The affected products were Ribbon’s DeFi Options Vaults, which once held more than $300 million in total value locked during DeFi’s peak.
Although Ribbon rebranded to Aevo in 2023, the legacy vault contracts continued operating on Ethereum (CRYPTO:ETH).
Aevo confirmed that its main Layer 2 derivatives exchange was not affected by the incident.
Security researchers traced the exploit to an oracle infrastructure upgrade deployed on December 6.
The upgrade unintentionally allowed any user to set prices for newly added assets.
An attacker exploited this flaw to manipulate price feeds and extract funds from the vaults.
Blockchain analyst Specter first identified suspicious outflows and linked them to the exploit contract.
The attacker drained hundreds of ETH and significant USDC before dispersing the funds.
Stolen assets were spread across 15 wallet addresses, many holding roughly 100 ETH each.
Security researcher Liyi Zhou said the attacker abused the Opyn and Ribbon oracle stack using price-feed proxies.
The exploit pushed arbitrary expiry prices for several assets at a shared timestamp.
Affected assets included wstETH, AAVE, LINK and WBTC.
Anton Cheng of Monarch DeFi said the exploit was enabled by the December 6 oracle code change.
“The upgrade let anyone set prices for new assets, which made the exploit possible,” Anton Cheng said.
Aevo announced that all Ribbon vaults have been halted and will be permanently decommissioned.
The team estimated vault losses at about 32% of total value.
Aevo proposed limiting user withdrawal losses to 19% by forfeiting around $400,000 of DAO-held assets.
“We’re proposing to prioritise active users by granting them a smaller reduction upfront,” the Aevo team said.
A six-month claim window will run from December 12 to June 12.
At the time of reporting, Ethereum price was $3,075.65.