In Brief
- Aevo lost $2.7M due to manipulated expiry prices after oracle system upgrade.
- Attacker used fake options to exploit Ribbon’s MarginPool and drain ETH and USDC.
- Funds were split across 15 wallets, some linked to treasury consolidation pools.
A sophisticated exploit drained $2.7 million from Aevo, formerly Ribbon Finance, targeting its outdated smart contract system. The attack occurred six days after an oracle upgrade changed the price-feed structure and decimal formatting for several tokens.
The attacker manipulated expiry prices by abusing the oracle’s proxy contract, submitting arbitrary values for assets like wstETH, AAVE, and LINK. They used these fake prices to settle option contracts in their favor, extracting hundreds of ETH and thousands in stablecoins.
Security analysts traced the attack to interactions with the oracle’s proxy admin contract, allowing unauthorized control over price updates. The malicious actor created poorly structured options using legitimate whitelisted tokens, avoiding detection during setup. These options were then used to trigger false settlements from Ribbon’s MarginPool.
Oracle changes created vulnerability; funds spread across multiple wallets
The issue began when Ribbon Finance updated its oracle system to support 18-decimal pricing for certain assets, excluding USDC. This inconsistency introduced a flaw that let attackers push fake expiry prices across all tokens with a shared timestamp.
Using oTokens based on stETH, collateralized with WETH, the attacker triggered settlements by forcing the system to recognize fake valuations. The smart contract then released assets to wallets controlled by the attacker, distributing the stolen funds across 15 addresses.
Blockchain investigators identified initial transfers to a wallet address that then routed funds into additional accounts. Many addresses held about 100 ETH each, and some have been linked to treasury consolidation pools. The total haul included around 900 ETH and large sums of USDC.
According to Web3 developers, the attack exploited Ribbon’s oracle upgrade but did not compromise the Opyn platform. The oToken creation process was followed correctly, but the lack of payout caps allowed unchecked asset drainage. Analysts confirmed Opyn’s core system remained secure throughout the incident.
| DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing. |
Source: https://coincu.com/news/aevo-ribbon-hack-exploits-oracle-upgrade/
