Aevo, a derivatives platform established by the former team behind Ribbon Finance, has confirmed a significant loss of $2.7 million due to an exploit linked to oracle vulnerabilities following a smart contract update on December 12. The incident has raised serious concerns among users still engaged with Ribbon”s vaults, particularly regarding the proposed recovery plan which caps payouts at 19% of the losses.
The exploit, which has been formally acknowledged by the Aevo team, involved a breach of the legacy Ribbon DOV vaults. In a communication released shortly after the incident, Aevo announced that all Ribbon vaults would be disabled permanently, initiating a capped recovery process for affected depositors. The company has set a six-month window for claims, set to close on June 12, 2026, during which users can seek compensation.
According to the details shared by Aevo, the attack was orchestrated by exploiting weaknesses in the updated smart contract. Blockchain analysts have traced the attack path, identifying an exploit contract and multiple recipient addresses that received the drained funds. The analysis revealed that the perpetrator manipulated oracle prices for various assets, including wstETH and AAVE, allowing them to drain assets from the vaults.
Investigation into the incident highlighted a decimal mismatch in the configuration following a recent update, which inadvertently allowed the attacker to submit fraudulent expiry prices for several tokens. This vulnerability, introduced just days before the exploit, facilitated the unauthorized settlement of positions against Ribbon”s MarginPool.
The market has responded negatively to the exploit, with the price of AEVO dropping to approximately $0.041, reflecting a 7% decline over the past week. The market capitalization now stands at $37.7 million, starkly contrasting with its all-time high of $3.86 recorded earlier in the year. The implied value of the protocol has also diminished, now aligning closely with the on-chain total value locked (TVL) of around $28.2 million.
Community feedback regarding Aevo”s recovery strategy has been overwhelmingly critical, with many users expressing frustration over the 19% payout cap. This response has been amplified across social media platforms, where users argue that long-time depositors are facing severe financial losses. Comments indicate a sentiment that the recovery plan is inadequate, particularly for those who invested in deprecated vaults under past assurances.
As Aevo navigates the fallout from this incident, the implications extend beyond immediate financial losses. The exploit underscores broader issues surrounding governance and social trust within the cryptocurrency ecosystem. Stakeholders are now tasked with evaluating not only technical risks but also the reputational damage that may linger as Aevo continues to operate its primary derivatives exchange.
The incident at Aevo serves as a stark reminder of the vulnerabilities inherent in decentralized finance platforms and the critical need for rigorous security measures to protect user assets. As the situation develops, the community will be watching closely to see how Aevo addresses these challenges and restores confidence among its users.
