TechFlow, December 15 — The GoPlus Chinese community posted an analysis on social media regarding the attack mechanism on the decentralized options protocol Ribbon Finance.
The attacker upgraded the price proxy contract to a malicious implementation via address 0x657CDE, then set the expiration time for stETH, Aave, PAXG, and LINK tokens to December 12, 2025, at 16:00:00 (UTC+8), and manipulated the expiry prices, exploiting the incorrect pricing to profit from the attack.
Notably, when the project's contract was created, the _transferOwnership status value of the attacker's address had already been set to true, allowing it to pass the contract's security checks. Analysis indicates that this attacking address may have originally been one of the project’s management addresses, later compromised by hackers through social engineering or similar methods and used to carry out this attack.
Previous report, Aevo confirmed its legacy Ribbon DOV vault was attacked, resulting in a loss of approximately $2.7 million.
