Security

Ribbon Finance (formerly Aevo) loses $2.7 million in DeFi hack

6 Min Read
6 Min Read
Ribbon Finance (formerly Aevo) loses .7 million in DeFi hack

A sophisticated attack on Aevo’s rebranded Ribbon Finance exfiltrated $2.7 million from old contracts and moved it to 15 separate wallet addresses. Some of them are already integrated into large accounts.

According to multiple blockchain researchers at social platform X, the attack occurred just six days after the platform upgraded its oracle infrastructure and option creation procedures. They used smart contract prompts to extract hundreds of Ethereum tokens and other digital assets.

@ribbonfinance’s old contracts were leaked for a total of $2.7 million.

Exploit contract: 0x3c212A044760DE5a529B3Ba59363ddeCcc2210bE

Address of theft:
0x354ad0816de79E72452C14001F564e5fDf9a355e
0x2Cfea8EfAb822778E4e109E8f9BCdc3e9E22CCC9… pic.twitter.com/sXKDYoL4RS

— Specter (@SpecterAnalyst) December 12, 2025

Web3 security analyst Liyi Zhou said in a thread describing the exploit: malicious contract A price feed proxy was exploited to manipulate the Opyn/Ribbon oracle stack to push arbitrary expiry prices of wstETH, AAVE, LINK, and WBTC to a shared oracle with a common expiration timestamp.

“The attacker placed a large oToken short position against Ribbon Finance’s margin pool, used these forged expiration prices in the payment pipeline, and transferred hundreds of WETH and wstETH, thousands of USDC, and several WBTC to the stolen addresses through redemption and redemption-to transactions,” Zhou explained.

Ribbon Finance’s Oracle price upgrade had weaknesses

Six days before the attack, the Ribbon Finance team updated its oracle pricing tool to support 18 decimal places for stETH, PAXG, LINK, and AAVE. However, other assets, including USDC, still have eight decimal places, and Chou said the discrepancy in decimal precision contributed to the vulnerability exploited on Friday.

The latest @ribbonfinance attack appears to be due to a flaw in the Oracle configuration.

6 days ago, the owner updated the oracle pricing tool to use 18 decimal places prices for stETH, PAXG, LINK, and AAVE. However, other assets such as the USDC price still have 8 decimal places.

Creation of OToken is not… pic.twitter.com/4cpZUNTNun

— Weilin (William) Lee (@hklst4r) December 13, 2025

According to a pseudonymous developer who goes by the X username Weilin, the creation of the oToken itself was not illegal. This is because all underlying tokens must be whitelisted before being used as collateral or strike assets, and the attackers followed that procedure to the letter.

See also  5,836,521 Americans Alerted After Hackers Breach Credit Reporting Firm – Names, Social Security Numbers and More Potentially Exposed

This malicious activity began with the creation of a poorly structured options product. One of its products consisted of a 3,800 USDC strike stETH call option collateralized by WETH and expiring on December 12th. The attacker then created several oTokens for these options, which were later exploited to starve the protocol.

The attack involved repeated interactions with the proxy administrator contract at 0x9D7b…8ae6B76. Some functions, such as transferOwnership and setImplementation, were used to manipulate price feed proxies through delegate calls. The hacker called the oracle implementation to set the asset’s expiry price with the same timestamp and fire an ExpiryPriceUpdated event confirming the fraudulent valuation.

Due to the manipulated price, the system realized that stETH was far above the strike price and burned 225 oTokens, generating 22.468662541163160869 WETH. The hackers extracted a total of approximately 900 ETH using this method.

Web3 security firm Specter discovered the initial transfer to wallet address 0x354ad…9a355e, but from there the funds were further distributed among 14 accounts, many of which held approximately 100.1 ETH each. Some of the stolen funds are already on the blockchain, which Chou called the “TC” or Treasury Integration Pool.

DeFi lending protocol builder: Opyn dApp was not compromised

Coinbase-backed decentralized application Opyn was not compromised as rumored in Crypto Twitter chatter, according to Monarch DeFi developer Anton Cheng.

I thought I might be to blame, so I looked up some ribbon hacks. Here’s what I’ve found so far:

1. @opyn_ has not been hacked. It’s actually a fork from @ribbonfinance_.
2. This hack was primarily caused by an upgraded oracle code that allows anyone to set prices for new assets.

When will this… https://t.co/AcF2p495OM pic.twitter.com/BH2rAvNPmP

— Anton Chen (@antonttc) December 13, 2025

Cheng explained that the Ribbon Finance hack was facilitated by upgraded oracle code that allowed users to misprice newly added assets. He noted that the attack began with a “stage-setting” preparatory transaction that generated poorly structured oTokens with legitimate collateral and strike assets. He continued that hackers were able to choose a well-known foundation like AAVE to avoid attracting attention and getting flagged due to fake tokens.

See also  Tangem Wallet Brute Force Vulnerability revealed by Rival Ledger

The hackers then set up three “subaccounts” and deposited the minimum amount of collateral in each to mint all three options. All subaccounts are marked Type 0, meaning it was fully collateralized, but with no maximum payout limit for each account or oToken, perpetrators were able to drain assets without any restrictions.

Opyn’s Gamma system requires the underlying asset to match the call option’s collateral and the put strike amount in order for the seller to remain fully collateralized. If Oracle is compromised, only the seller of that particular product will be harmed.

However, in this case, the combination of new oToken creation and manipulated oracles was sufficient to circumvent these protections.

Discover more from Earlybirds Invest

Subscribe to get the latest posts sent to your email.

TAGGED:
Share This Article
Leave a comment

Popular News

Coinbase Sues Illinois, Michigan, and Connecticut Over Prediction Market Crackdown
Coinbase Sues Illinois, Michigan, and Connecticut Over Prediction Market Crackdown
Solana
Sen. Lummis, Crypto’s closest ally in Congress, retires next year
Sen. Lummis, Crypto’s closest ally in Congress, retires next year
Bitcoin
Nigeria arrests dev of Microsoft 365 ‘Raccoon0365’ phishing platform
Nigeria arrests dev of Microsoft 365 ‘Raccoon0365’ phishing platform
Technology
Binance Futures announces listing of new altcoin trading pairs! Details below.
Binance Futures announces listing of new altcoin trading pairs! Details below.
Exchange
FCA discusses UK cryptocurrency rules on exchanges, lending and DeFi
FCA discusses UK cryptocurrency rules on exchanges, lending and DeFi
Legal
bitcoin
Bitcoin (BTC) $ 91,949.77
ethereum
Ethereum (ETH) $ 3,117.04
tether
Tether USDt (USDT) $ 1.00
bnb
BNB (BNB) $ 897.10
xrp
XRP (XRP) $ 2.10
cardano
Cardano (ADA) $ 0.441295
usd-coin
USDC (USDC) $ 0.999839
binance-usd
BUSD (BUSD) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.147675
okb
OKB (OKB) $ 107.28
shiba-inu
Shiba Inu (SHIB) $ 0.000009
tron
TRON (TRX) $ 0.283398
uniswap
Uniswap (UNI) $ 5.93
litecoin
Litecoin (LTC) $ 83.36
solana
Solana (SOL) $ 139.60
chainlink
Chainlink (LINK) $ 14.22
cosmos
Cosmos (ATOM) $ 2.32
ethereum-classic
Ethereum Classic (ETC) $ 13.75
filecoin
Filecoin (FIL) $ 1.55
bitcoin-cash
Bitcoin Cash (BCH) $ 571.98
monero
Monero (XMR) $ 404.11

Discover more from Earlybirds Invest

Subscribe now to keep reading and get access to the full archive.

Continue reading