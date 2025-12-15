Key Notes

Aevo, the derivatives venue built by the former Ribbon Finance team, confirmed a $2.7 million loss from its legacy Ribbon DOV vaults after an oracle-related smart contract upgrade on December 12.

We regret to confirm that the legacy Ribbon DOV vaults were exploited yesterday following a vulnerability in a smart contract update, resulting in a loss of approximately $2.7M USD. We have immediately taken action to identify the root cause and are coordinating with CEXs and… — Aevo (fka Ribbon Finance) (@ribbonfinance) December 13, 2025

Shortly after, the project team relayed that Aevo will permanently disable all Ribbon vaults and run a capped recovery process for affected users. It explained that the old Ribbon DOV vault was hacked on December 12 due to smart contract vulnerabilities in a recent update, leading to a $2.7 million loss.

As a consequence, all Ribbon vaults were paused and should soon be permanently disabled, with a six‑month claims window through June 12, 2026. The post adds that the DAO will liquidate remaining assets to compensate users “up to 19% of the missing amount or the remaining balance,” whichever is lower.

We have an update on the legacy Ribbon DOVs exploit, specifically the next steps we're proposing for impacted vault depositors. If you have an active Ribbon vault position, please read carefully, as action will be required on your side. All Ribbon vaults have been stopped and… — Aevo (fka Ribbon Finance) (@ribbonfinance) December 14, 2025

How the Ribbon vault hack actually happened

Blockchain investigators reconstructed the attack path using the exploit contract at 0x3c212A044760DE5a529B3Ba59363ddeCcc2210bE and at least 15 recipient addresses first flagged by on‑chain analyst Specter on X. Specter wrote that “the old contract of @ribbonfinance has been drained for a total of $2.7M,” listing theft addresses that received drained [NC] and stablecoins.

The old contract of @ribbonfinance has been drained for a total of $2.7M. Exploit contract: 0x3c212A044760DE5a529B3Ba59363ddeCcc2210bE Theft addresses:

0x354ad0816de79E72452C14001F564e5fDf9a355e

0x2Cfea8EfAb822778E4e109E8f9BCdc3e9E22CCC9… pic.twitter.com/sXKDYoL4RS — Specter (@SpecterAnalyst) December 12, 2025

Security write‑ups from multiple venues agree that the attacker abused the oracle proxy admin to submit arbitrary expiry prices for wstETH, AAVE, [NC] , and other underlyings, then settled oToken positions against Ribbon’s MarginPool to pull assets from the vaults.

Post‑mortems point to a decimal‑mismatch bug introduced six days earlier, when Ribbon updated the oracle pricer to 18‑decimal feeds for stETH, PAXG, LINK, and AAVE while keeping USDC at eight decimals. Web3 security researcher Weilin highlighted that the configuration allowed forged expiry prices at a shared timestamp across assets, which the settlement pipeline then treated as valid for prominent short oToken positions. Funds now sit spread across the original 15 addresses and several consolidation wallets, with no public recovery negotiation from the attacker.

The latest @ribbonfinance attack appears to be a oracle configuration fault. 6 days ago, the owners updated the oracle pricer which uses 18 decimals price for stETH, PAXG, LINK and AAVE. However, other assets like USDC price still at 8 decimals. creation of OToken is not a… pic.twitter.com/4cpZUNTNun — Weilin (William) Li (@hklst4r) December 13, 2025

Aevo price reacts with a drop

The market has already marked Aevo down. AEVO trades at about $0.041 per token today, with a 7-day drop of 7% and a market cap of $37.7 million on a circulating supply of 915.8 million. That price sits 98.9% below the March 28, 2024, all‑time high of $3.86.

Implied protocol value now hovers close to the on‑chain TVL of around $28.2 million, which compresses the margin for error when the DAO socializes a 32% vault loss yet only promises up to 19% reimbursement.

Community backlash over Ribbon recovery plan

Community reaction to the recovery terms of 19% has turned hostile across social channels and secondary reporting.

this is super fucked up, you can't just take money from dormant accounts. wtf is wrong with this industry — 0xCommodity (@0xCommodity) December 14, 2025

Commenters argue that early Ribbon depositors, who left assets in deprecated DOV vaults based on prior assurances, now eat an 80%+ haircut. At the same time, Aevo continues to run its main derivatives exchange and L2 stack unaffected.

"…the accounts with the largest deposits have gone dormant over the past 2–4 years, and it's highly likely many of them won't withdraw at all." People are still withdrawing from Saffron V1 from 2020. You can't just steal money because it's been deposited for a while. pic.twitter.com/yZxKtsKQvw — psykeeper 𐁉 (@psykeeper) December 14, 2025

Users also report that some threads have been deleted, and that commenting on Aevo’s posts is now limited to verified accounts and those previously mentioned by Aevo. The company directs users toward the formal claims process rather than open debate.

From an institutional angle, the exploit itself looks like a textbook oracle‑config failure. Still, the response mirrors prior stress episodes around Mango, Euler, and others, where the technical fix landed faster than the social one.

A desk that routes size through Aevo now has to price not just smart contract risk, but governance and social‑layer risk in any vault product that carries the Ribbon legacy brand, since the DAO has set a precedent that losses in older vault lines can clear at a fraction of face value even while the core trading venue and token remain live.

