Ribbon Finance, formerly Aevo, loses $2.7 million in DeFi hack

A sophisticated attack on Aevo-rebrand Ribbon Finance drained $2.7 million from its old contract and moved to fifteen separate wallet addresses, some of which have already been consolidated into larger accounts. 

According to several blockchain investigators on social platform X, the attack occurred just six days after the platform upgraded its oracle infrastructure and option creation procedures. They used a smart contract prompt to extract hundreds of Ethereum tokens and other digital assets.

In a thread explaining the exploit, Web3 security analyst Liyi Zhou said a malicious contract manipulated the Opyn/Ribbon oracle stack by abusing price-feed proxies, and pushed arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared oracle at a common expiry timestamp. 

“The attacker placed large short oToken positions against Ribbon Finance’s MarginPool, which used these forged expiry prices in its settlement pipeline and transferred out hundreds of WETH and wstETH, thousands of USDC, and several WBTC to theft addresses through redeem and redeemTo transactions,” Zhou explained.

Ribbon Finance’s oracle price upgrade had weaknesses

Six days before the attack, Ribbon Finance’s team updated the oracle pricer to support 18 decimals for stETH, PAXG, LINK, and AAVE. However, other assets, including USDC, were still at eight decimals, and according to Zhou, the discrepancy in decimal precision contributed to the vulnerability that was exploited on Friday.

According to a pseudonymous developer going by the username Weilin on X, the creation of oTokens themselves was not illegal because every underlying token must be whitelisted before it’s used as collateral or a strike asset, a procedure the attacker followed to the letter.

The malicious activity began with the creation of poorly structured option products, where one product consisted of a stETH call option with a 3,800 USDC strike, collateralized with WETH, set to expire on December 12. The attacker then created several oTokens for these options, which were later exploited to drain the protocol.

The attack involved repeated interactions with the proxy admin contract at 0x9D7b…8ae6B76. Some functions, like transferOwnership and setImplementation, were used to manipulate the price-feed proxies through delegate calls. The hacker invoked an implementation for the oracle to set asset expiry prices at the same timestamp to cause ExpiryPriceUpdated events that confirmed the fraudulent valuations.

The manipulated prices made the system recognize stETH as being far above the strike price and burned 225 oTokens, yielding 22.468662541163160869 WETH. In total, the hacker extracted approximately 900 ETH through this method.

Web3 security firm Spectre spotted the initial transfers to a wallet address at 0x354ad…9a355e, but from there, the money was distributed to 14 more accounts, with many holding around 100.1 ETH each. Some of the stolen funds have already entered what blockchain Zhou referred to as “TC” or treasury consolidation pools.

DeFi lending protocol builder: Opyn dApp was not compromised 

According to Monarch DeFi developer Anton Cheng, Coinbase-backed decentralized application Opyn was not compromised as rumored in chatter on Crypto Twitter.

Cheng explained that the Ribbon Finance hack was facilitated by an upgraded oracle code that inadvertently allowed any user to set prices for newly added assets. He denoted that the attack began with a preparatory transaction to “set the stage” by generating poorly structured oTokens with legitimate collateral and strike assets. He continued to say that the fake tokens allowed the hacker to pick well-known underlyings like AAVE to avoid drawing attention and getting flagged. 

The hacker then set up three “subaccounts,” each depositing minimal collateral to mint all three options. All subaccounts were marked as type 0, meaning they were fully collateralized, but the absence of a maximum payout limit for each account or oToken helped the perpetrator drain assets without any restrictions.

Under Opyn’s Gamma systems, the underlying asset must match the collateral for call options and the strike for puts to keep sellers fully collateralized. If an oracle is compromised, only sellers for that specific product are meant to suffer.

Yet in this case, the combination of new oToken creation and the manipulated oracle were enough to bypass these protections.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.