Aevo Legacy Ribbon DOV Oracle Drain

On December 12, 2025, the derivatives platform Aevo — formerly known as Ribbon Finance before its 2023 rebrand — lost approximately $2.7 million when an attacker exploited the legacy Ribbon DOV (DeFi Options Vault) contracts. The vulnerability had been introduced six days earlier by an oracle upgrade that supported new 18-decimal tokens but broke compatibility with the legacy 8-decimal assets the old vaults still used. Aevo permanently shut down its vault operations hours after the attack was detected.

What happened

Ribbon Finance's original DOV vaults supported various crypto assets as collateral for selling options. The vaults had been deployed years before the Aevo rebrand and continued to operate even after the protocol's focus shifted to perpetuals trading on its own Aevo L2.

Six days before the exploit, Aevo deployed an oracle upgrade to support new tokens that use 18-decimal precision. The upgrade modified the protocol's pricing infrastructure to expect 18-decimal price feeds throughout.

The fatal compatibility break: some legacy assets in the older Ribbon vaults still use 8-decimal precision (a common standard for legacy ERC-20 tokens that predate the 18-decimal convention). The oracle upgrade didn't include backward-compatible scaling for these assets, leaving the legacy vaults with a pricing system that misinterpreted the 8-decimal values as if they were 18-decimal.

The attack:

1. Identified the precision-mismatch vulnerability in the post-upgrade legacy vaults.
2. Deployed a malicious smart contract to interact with the affected DOV markets.
3. Created three accounts marked as type 0 (fully collateralized), each with minimal actual collateral.
4. Using the precision mismatch, the contracts believed the minimal collateral was worth far more — letting the attacker mint a large number of oTokens (options-trading tokens) against essentially nothing.
5. The vaults' design lacked maximum payouts per account or option series, so the attacker could keep minting and redeeming oTokens until $2.7M had been drained from the underlying vault assets.

Aftermath

• Aevo permanently shut down all legacy Ribbon vault operations within hours of detection.
• The team published a post-mortem and began coordinating with security partners.
• No public recovery from the attacker's wallets.
• Aevo's main perpetuals platform was unaffected; the wind-down was limited to the legacy Ribbon DOV product line.

Why it matters

The Aevo / Ribbon incident is part of a recurring 2024-2026 pattern: legacy contracts that outlive their team's active maintenance become attack surface for sophisticated operators. The pattern recurs at:

• Truebit (Jan 2026) — 5-year-old closed-source bonding curve.
• Yearn iEarn (Apr 2023) — 3-year-old misconfigured yUSDT contract.
• Aevo / Ribbon DOVs (Dec 2025) — legacy options vaults with stale decimal handling.

The structural lessons:

1. Upgrades to shared infrastructure (oracles, libraries) require backward-compatibility regression tests for every dependent contract, not just the new code paths the upgrade is designed to support.
2. Legacy contracts with meaningful TVL should be on a "deprecate gracefully" path — explicit migration windows, declining maximum exposure, eventual contract pause — rather than being left to operate indefinitely with no active maintenance.
3. Maximum-payout caps and rate-limits at the per-contract level are a critical defence even for "battle-tested" contracts, because the threat model includes breaking compatibility upgrades elsewhere in the protocol's stack, not just bugs in the contract itself.

Aevo's decision to permanently shut down the vault product rather than attempt to repair and relaunch is increasingly the rational choice for protocol teams: the cost of comprehensive remediation often exceeds the value of the remaining user base, and a clean shutdown limits future liability.