📚Funds Loss at Aevo Caused by Oracle Configuration Mistake ✅Overview Approximately $2.7 million worth of funds were drained from an old Ribbon Finance Vault integrated into Aevo due to a failure to update the oracle configuration. This was not a sophisticated cryptographic breach, but rather a case where misconfigurations in permission management and price calculation were exploited in a chain reaction. The article systematically explains how the gap between past design and new updates led to a fatal outcome. ✅Background of Integration from Ribbon to Aevo Ribbon Finance is known as an early DeFi options protocol, which was later integrated into Aevo. This integration was not a service shutdown, but a decision to continue using the existing Vaults as a core function of Aevo. Therefore, the old Vaults are still operating on Ethereum and retain their funds. ✅The Oracle Update That Triggered the Problem In December 2025, Aevo updated the oracle configuration of the old Ribbon Vault. Oracles are crucial mechanisms that provide price information to smart contracts. However, this update removed the permission check, allowing anyone to change the price and implementation destination. In other words, it was like leaving the vault's key unsecured. ✅Permission Mistakes and Price Calculation Discrepancies The updated oracle assumed 18 decimal places, but there were still assets with 8 decimal places remaining in the Vault. This discrepancy caused a price calculation error, allowing attackers to set prices that were extremely high compared to the actual value. Moreover, since the oracle's ownership transfer was determined solely by tx.origin (the initial sender of the transaction), attackers could mimic legitimate administrators by routing through specific wallets. ✅Attack Process The attacker first created an option product that met invalid conditions, then temporarily replaced the oracle implementation to alter the price. When exercising the oToken (a token representing an option) under these conditions, the Vault believed it was processing correctly and paid out large amounts of WETH and USDC. By repeating this operation, the Vault was emptied in a short time. ✅Funds Movement and Concealment The drained funds were distributed across multiple wallets and moved in fixed amounts. This is a typical method to make tracking difficult, and it is believed to be a move intended for use with a mixer. It is also suggested that the attackers may have operated in a coordinated group with divided roles rather than being a single individual. ✅Aevo's Response and Confusion After the incident was discovered, Aevo halted the old Ribbon Vault. Initially, they proposed a partial compensation plan, but it was retracted as the premise was found to be incorrect. As a result, users who had already withdrawn funds and those who still had funds in the Vault ended up in different situations. ✅What This Case Demonstrates This issue shows that it's not just outdated smart contracts that are dangerous, but also the danger of mistakenly believing that running code is "effectively not being used." Even if marked as deprecated, code that retains funds and permissions remains a target for attacks. The incident highlights how ignoring past design principles during updates can instantly invalidate long-standing security measures.