Decentralized exchange Aevo, formerly Ribbon Finance, suffered a $2.3 million exploit in its legacy Ribbon Decentralized Options Vaults (DOV).

On‑chain researcher @SpecterAnalyst first flagged the exploit contract on X, and subsequent research from other security researchers suggested that an oracle misconfiguration was likely the root cause of the hack.

The exploit began six days after an oracle upgrade that adjusted decimals to 18 for certain assets, while USDC remained at 8, creating inconsistencies, researcher Liyi Zhou explained.

The attacker then created poorly structured oTokens using whitelisted collateral like WETH for options such as stETH calls with USDC strikes, then used proxy admin functions to forge ExpiryPriceUpdated events.

This tricked the MarginPool into settling large short oToken positions favorably, draining ETH, wstETH, USDC, and WBTC across redeem/redeemTo transactions to 15 wallets.

“All Ribbon vaults have been stopped and will be decommissioned effective immediately,” said the Aevo team in a statement.