Aevo (formerly Ribbon Finance): Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop

Summary #

Aevo (formerly Ribbon Finance) suffered a Options / Structured Products Vault on 2025-12-12, resulting in a loss of approximately $3M.

What happened #

A routine oracle upgrade to Aevo's legacy Ribbon vaults accidentally removed access control on price-setting, giving the attacker a 6-day window to set prices to infinity and drain $2.7M.

Linked factors #

• RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the specific oracle upgrade that removed access control was not audited]
• RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — oracle upgrade deployed 6 days before exploit]
• RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — the upgrade itself was an admin action (root cause)]
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — oracle access control silently removed; price became settable by anyone]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the upgrade itself was an admin action (root cause)]