Ribbon Finance, formerly Aevo, loses $2.7 million in DeFi hack

Markets 2025-12-15 10:21

A sophisticated attack on Aevo-rebrand Ribbon Finance drained $2.7 million from its old contract and moved to fifteen separate wallet addresses, some of which have already been consolidated into larger accounts. 

According to several blockchain investigators on social platform X, the attack occurred just six days after the platform upgraded its oracle infrastructure and option creation procedures. They used a smart contract prompt to extract hundreds of Ethereum tokens and other digital assets.


In a thread explaining the exploit, Web3 security analyst Liyi Zhou said a malicious contract manipulated the Opyn/Ribbon oracle stack by abusing price-feed proxies, and pushed arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared oracle at a common expiry timestamp. 

“The attacker placed large short oToken positions against Ribbon Finance’s MarginPool, which used these forged expiry prices in its settlement pipeline and transferred out hundreds of WETH and wstETH, thousands of USDC, and several WBTC to theft addresses through redeem and redeemTo transactions,” Zhou explained.

Ribbon Finance’s oracle price upgrade had weaknesses

Six days before the attack, Ribbon Finance’s team updated the oracle pricer to support 18 decimals for stETH, PAXG, LINK, and AAVE. However, other assets, including USDC, were still at eight decimals, and according to Zhou, the discrepancy in decimal precision contributed to the vulnerability that was exploited on Friday.


According to a pseudonymous developer going by the username Weilin on X, the creation of oTokens themselves was not illegal because every underlying token must be whitelisted before it’s used as collateral or a strike asset, a procedure the attacker followed to the letter.

The malicious activity began with the creation of poorly structured option products, where one product consisted of a stETH call option with a 3,800 USDC strike, collateralized with WETH, set to expire on December 12. The attacker then created several oTokens for these options, which were later exploited to drain the protocol.

The attack involved repeated interactions with the proxy admin contract at 0x9D7b…8ae6B76. Some functions, like transferOwnership and setImplementation, were used to manipulate the price-feed proxies through delegate calls. The hacker invoked an implementation for the oracle to set asset expiry prices at the same timestamp to cause ExpiryPriceUpdated events that confirmed the fraudulent valuations.

The manipulated prices made the system recognize stETH as being far above the strike price and burned 225 oTokens, yielding 22.468662541163160869 WETH. In total, the hacker extracted approximately 900 ETH through this method.

Web3 security firm Spectre spotted the initial transfers to a wallet address at 0x354ad…9a355e, but from there, the money was distributed to 14 more accounts, with many holding around 100.1 ETH each. Some of the stolen funds have already entered what blockchain Zhou referred to as “TC” or treasury consolidation pools.

DeFi lending protocol builder: Opyn dApp was not compromised 

According to Monarch DeFi developer Anton Cheng, Coinbase-backed decentralized application Opyn was not compromised as rumored in chatter on Crypto Twitter.


Cheng explained that the Ribbon Finance hack was facilitated by an upgraded oracle code that inadvertently allowed any user to set prices for newly added assets. He denoted that the attack began with a preparatory transaction to “set the stage” by generating poorly structured oTokens with legitimate collateral and strike assets. He continued to say that the fake tokens allowed the hacker to pick well-known underlyings like AAVE to avoid drawing attention and getting flagged. 

The hacker then set up three “subaccounts,” each depositing minimal collateral to mint all three options. All subaccounts were marked as type 0, meaning they were fully collateralized, but the absence of a maximum payout limit for each account or oToken helped the perpetrator drain assets without any restrictions.

Under Opyn’s Gamma systems, the underlying asset must match the collateral for call options and the strike for puts to keep sellers fully collateralized. If an oracle is compromised, only sellers for that specific product are meant to suffer.

Yet in this case, the combination of new oToken creation and the manipulated oracle were enough to bypass these protections.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.

Share to:

This content is for informational purposes only and does not constitute investment advice.

Recommended Reading
2025-12-15 10:21
Ribbon Finance, formerly Aevo, loses $2.7 million in DeFi hack
2025-12-15 10:21
South Africa eases stance as Musk pushes Starlink rollout
2025-12-15 10:21
K9 Finance warns it may sever ties with Shibarium
2025-12-15 10:20
Best Cryptos to Buy: Top 3 Altcoins to Buy Before Christmas 2025 
2025-12-15 10:20
Best Crypto to Invest In December 2025: US Markets Move On-Chain as DeepSnitch AI Presale Price Rises 85%
2025-12-15 10:19
BlockDAG vs BlockchainFX: Which Top Crypto Presale Offers the Best Passive Income for 2026?

Popular Articles

Curated Series

SuperEx Popular Science Articles Column

SuperEx Popular Science Articles Column

This collection features informative articles about SuperEx, aiming to simplify complex cryptocurrency concepts for a wider audience. It covers the basics of trading, blockchain technology, and the features of the SuperEx platform. Through easy-to-understand content, it helps users navigate the world of digital assets with confidence and clarity.
Unstaked related news and market dynamics research

Unstaked related news and market dynamics research

Unstaked (UNSD) is a blockchain platform integrating AI agents for automated community engagement and social media interactions. Its native token supports governance, staking, and ecosystem features. This special feature explores Unstaked’s market updates, token dynamics, and platform development.
XRP News and Research

XRP News and Research

This series focuses on XRP, covering the latest news, market dynamics, and in-depth research. Featured analysis includes price trends, regulatory developments, and ecosystem growth, providing a clear overview of XRP's position and potential in the cryptocurrency market.
How do beginners trade options?How does option trading work?

How do beginners trade options?How does option trading work?

This special feature introduces the fundamentals of options trading for beginners, explaining how options work, their main types, and the mechanics behind trading them. It also explores key strategies, potential risks, and practical tips, helping readers build a clear foundation to approach the options market with confidence.

What are the risks of investing in cryptocurrency?

What are the risks of investing in cryptocurrency?

This special feature covers the risks of investing in cryptocurrency, explaining common challenges such as market volatility, security vulnerabilities, regulatory uncertainties, and potential scams. It also provides analysis of risk management strategies and mitigation techniques, helping readers gain a clear understanding of how to navigate the crypto market safely.