Aevo (formerly Ribbon Finance) is attempting to contain a $2.7 million exploit of its legacy vaults, but the proposed cure: seizing funds from "dormant" depositors to make active users whole—has triggered a fierce governance backlash. The controversy centers on a recovery plan that imposes a 19% haircut on immediate withdrawals while effectively setting an expiration date on the deposits of long-term holders.
The "Use It or Lose It" Precedent
On December 12, an attacker manipulated an oracle vulnerability in Ribbon’s legacy DOV (DeFi Option Vaults) contracts, draining roughly $2.7 million. While the Aevo team moved quickly to pause the vaults, the subsequent recovery proposal stunned the community.
The terms are blunt: active users face an immediate 19% loss (mitigated from an actual 32% deficit by DAO treasury funds). However, the protocol plans to liquidate any assets remaining in "dormant" accounts—defined as inactive for two to four years—after a six-month claim window closes in June 2026. These seized funds would then be redistributed to active claimants to cover their haircuts.
"The team aims to prioritize active users… implying a ‘strong chance’ users could be made whole after a six-month claim window, depending on how many dormant accounts remain inactive."
This "Robin Hood" logic: taking from the absent to pay the present—reverses the standard DeFi ethos where smart contract deposits are immutable property, not subject to activity clauses. Critics argue this amounts to a confiscation of assets from early supporters who may simply be holding long-term.
Silence and Sell-Offs
The optics worsened when Aevo restricted replies to its official announcement on X (formerly Twitter), a move widely interpreted as damage control to stifle dissent. Community trust evaporated.
Market reaction was swift but contained, likely because the exploit targeted legacy infrastructure rather than the core Aevo exchange. AEVO currently trades at $0.042, down roughly 2% in the last 24 hours, though the token has bled over 11% since the news broke earlier this week.
Institutional Context
This incident sets a precarious governance benchmark. If a DAO can retroactively classify inactivity as consent for asset forfeiture, the definition of "custody" in DeFi becomes fluid. For institutional allocators, who often leave positions dormant for years, Aevo’s proposal introduces a new vector of governance risk: the threat of having assets socialized to cover protocol failures simply for not checking in.
