Aevo’s Ribbon Vault Exploit Spurs Backlash Over 19% Payout Plan

Aevo, the derivatives venue built by the former Ribbon Finance team, confirmed a $2.7 million loss from its legacy Ribbon DOV vaults after an oracle-related smart contract upgrade on December 12.

Shortly after, the project team relayed that Aevo will permanently disable all Ribbon vaults and run a capped recovery process for affected users. It explained that the old Ribbon DOV vault was hacked on December 12 due to smart contract vulnerabilities in a recent update, leading to a $2.7 million loss.

As a consequence, all Ribbon vaults were paused and should soon be permanently disabled, with a six‑month claims window through June 12, 2026. The post adds that the DAO will liquidate remaining assets to compensate users “up to 19% of the missing amount or the remaining balance,” whichever is lower.

How the Ribbon vault hack actually happened

Blockchain investigators reconstructed the attack path using the exploit contract at 0x3c212A044760DE5a529B3Ba59363ddeCcc2210bE and at least 15 recipient addresses first flagged by on‑chain analyst Specter on X. Specter wrote that “the old contract of @ribbonfinance has been drained for a total of $2.7M,” listing theft addresses that received drained [NC] and stablecoins.

Security write‑ups from multiple venues agree that the attacker abused the oracle proxy admin to submit arbitrary expiry prices for wstETH, AAVE, [NC] , and other underlyings, then settled oToken positions against Ribbon’s MarginPool to pull assets from the vaults.

Post‑mortems point to a decimal‑mismatch bug introduced six days earlier, when Ribbon updated the oracle pricer to 18‑decimal feeds for stETH, PAXG, LINK, and AAVE while keeping USDC at eight decimals. Web3 security researcher Weilin highlighted that the configuration allowed forged expiry prices at a shared timestamp across assets, which the settlement pipeline then treated as valid for prominent short oToken positions. Funds now sit spread across the original 15 addresses and several consolidation wallets, with no public recovery negotiation from the attacker.

Aevo price reacts with a drop

The market has already marked Aevo down. AEVO trades at about $0.041 per token today, with a 7-day drop of 7% and a market cap of $37.7 million on a circulating supply of 915.8 million. That price sits 98.9% below the March 28, 2024, all‑time high of $3.86.

Aevo price in 7 days | Source: CoinMarketCap

Implied protocol value now hovers close to the on‑chain TVL of around $28.2 million, which compresses the margin for error when the DAO socializes a 32% vault loss yet only promises up to 19% reimbursement.

Community backlash over Ribbon recovery plan

Community reaction to the recovery terms of 19% has turned hostile across social channels and secondary reporting.

Commenters argue that early Ribbon depositors, who left assets in deprecated DOV vaults based on prior assurances, now eat an 80%+ haircut. At the same time, Aevo continues to run its main derivatives exchange and L2 stack unaffected.

Users also report that some threads have been deleted, and that commenting on Aevo’s posts is now limited to verified accounts and those previously mentioned by Aevo. The company directs users toward the formal claims process rather than open debate.

From an institutional angle, the exploit itself looks like a textbook oracle‑config failure. Still, the response mirrors prior stress episodes around Mango, Euler, and others, where the technical fix landed faster than the social one.

A desk that routes size through Aevo now has to price not just smart contract risk, but governance and social‑layer risk in any vault product that carries the Ribbon legacy brand, since the DAO has set a precedent that losses in older vault lines can clear at a fraction of face value even while the core trading venue and token remain live.

The post Aevo’s Ribbon Vault Exploit Spurs Backlash Over 19% Payout Plan appeared first on Coinspeaker.