How Does Aevo Work?
An options and perpetual futures trading platform that runs on its own custom blockchain. It holds $22M in deposits and raised $17M in funding. Its C- grade reflects a $2.7M exploit in December 2025 caused by a price feed precision error, plus centralization risks from its privately run blockchain and matching engine.
TVL
$20M
Sector
Derivatives
Risk Grade
C
Value Grade
D+
Core Mechanisms
Derivatives/Options-Vault
Decentralized options vaults (DOVs) executing covered call and put strategies automatically
Inherited from Ribbon Finance. DOVs auto-sell options for yield. Standard pattern since 2021. Legacy Ribbon vaults decommissioned after December 2025 exploit.
Derivatives/Perpetuals
Perpetual futures trading with off-chain order book and on-chain settlement
Hybrid exchange model with off-chain order matching. Standard for derivatives DEXs (dYdX, GMX).
Derivatives/Options-Trading
Options trading platform with on-chain options contracts
Standard options trading with Black-Scholes pricing models.
Oracle/Proxy-Upgradeable
NovelProxy-based oracle stack with upgradeable precision and expiry price setting
Custom oracle infrastructure using proxy pattern. December 2025 upgrade changed precision to 18 decimals, creating mismatch with 8-decimal legacy assets.
Derivatives/Structured-Products
Automated structured products combining options strategies for yield generation
Yield strategies packaging options positions. Follows Ribbon Finance pattern established in 2021.
Settlement/Off-Chain-Matching
Off-chain order book with centralized matching engine and on-chain settlement
Standard off-chain matching pattern used by dYdX and other derivatives DEXs.
Rollup/Custom-L2
Aevo L2 rollup for high-performance derivatives trading
Custom OP Stack rollup. Application-specific rollups are an established pattern (dYdX, StarkEx).
How the Pieces Interact
Oracle upgrade changing precision from 8 to 18 decimals created exploitable mismatch. Attacker set arbitrary expiry prices and drained $2.7M from DOV vaults in December 2025.
Complex structured products require high-fidelity pricing at multiple points. Any oracle imprecision directly translates to extractable value for sophisticated attackers.
Centralized matching engine creates information asymmetry where the operator can observe orders before on-chain settlement, enabling potential front-running.
Incomplete migration from Ribbon left legacy contracts active with outdated security assumptions, directly enabling the December 2025 exploit. Now decommissioned.
Centralized sequencer could censor or reorder transactions during volatile markets, affecting options expiry and liquidation timing.
What Could Go Wrong
- December 2025 oracle exploit drained $2.7M from legacy Ribbon DOV vaults via precision mismatch and access control flaw in the proxy-upgradeable oracle stack.
- Custom proxy-upgradeable oracle infrastructure creates ongoing precision and access control attack vectors when new assets are added or decimal configurations change.
- Centralized matching engine on custom L2 rollup creates information asymmetry where the operator can observe orders before on-chain settlement.
Oracle Precision Exploit Cascade
ElevatedTrigger: A proxy oracle upgrade introduces another precision mismatch on a newly listed asset with $5M+ in active options positions
- 1.Oracle upgrade changes decimal precision for new asset feeds without updating all consuming contracts — Attacker sets arbitrary expiry prices for affected assets via exposed access control
- 2.Structured product vaults settle options at manipulated expiry prices — Vault depositors lose principal as options settle at attacker-controlled values
- 3.Exploit news triggers mass withdrawal from all Aevo vaults and positions — Centralized matching engine overwhelmed; settlement delays compound user panic
- 4.AEVO token crashes as market prices in repeated oracle vulnerability pattern — Protocol reputation permanently damaged; institutional users exit platform
Risk Profile at a Glance
Overall: C (49/100)
Lower score = safer