Ribbon Finance hack: hackers stole $2,7 million through an oracle vulnerability
The incident once again showed that price manipulation remains a serious threat to DeFi.
15.12.2025 - 10:10
374
3 min
0
Key points:
- On December 12, hackers exploited a vulnerability in the Ribbon Finance oracle system and stole approximately $2,7 million.
- The bug appeared after a code upgrade and allowed the attacker to substitute arbitrary asset prices.
On December 12, hackers broke into Ribbon Finance smart contracts, which belong to the Aevo platform. According to blockchain security experts, due to an error in the oracle upgrade, attackers were able to manipulate prices and withdraw about $2,7 million.
The attack targeted Ribbon’s DeFi option vaults (DOV). At the peak of the DeFi market, more than $300 million was locked in them. Despite Ribbon Finance’s rebranding in 2023 and the project’s transition to Aevo, these vaults continued to operate on the Ethereum network. The Aevo team clarified that the second-layer exchange itself was not affected.
How the hack happened and what analysts found
The first to notice the suspicious transactions was blockchain analyst Specter. He identified the contract used in the attack, as well as the wallets to which the funds were withdrawn.
The hacker withdrew hundreds of ETH and large amounts of USDC, then distributed them among 15 addresses — approximately 100 ETH to each.
Security researcher Liyi Zhou explained that the attacker exploited a vulnerability in the Opyn/Ribbon oracle system. Using proxy servers, he was able to substitute arbitrary prices for wstETH, AAVE, LINK, and WBTC assets with the same expiration date. This allowed him to carry out the attack.
According to Anton Cheng of Monarch DeFi, the problem arose after the oracle code was upgraded on December 6. This effectively allowed anyone to set prices for new assets. However, the main Opyn protocol was not hacked — the vulnerability only affected Ribbon settings.
After the incident, Aevo stopped all Ribbon vaults and announced their permanent closure. The losses amounted to about 32%, but the team proposed to reduce the amount of write-offs for users to 19% of the value of their positions at the time of the attack.
They explained this decision with two reasons:
- First, the DAO will lose its own funds in storage facilities, amounting to about $400 000, which will reduce the total damage to $2,3 million.
- Second, large deposits belonged mainly to inactive users who had not been active for the past two to four years.
Oracle manipulation remains one of the most common threats in DeFi. Earlier, a user of the Venus Protocol platform fell victim to phishing and suffered losses of $27 million.
Useful material?
Telegram 
Twitter Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Cryptocurrency rates
-
Bitcoin
$60 640
BTC
+0.8%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.06
XRP
+1.27%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.073705
DOGE
+0.33%
-
Zcash
$389.05
ZEC
+1.22%
-
Stellar XLM
$0.174389
XLM
+1.79%
-
Cardano
$0.14639
ADA
+1.24%
-
Polkadot
$3.32
DOT
+5.27%