GoPlus: Suspected "project party management address being controlled by hackers" led to the attack on Ribbon Finance

GoPlus Chinese community analyzes the principle of the attack on the decentralized options protocol Ribbon Finance in a social media post.

The attacker upgraded the price oracle contract to a malicious implementation contract through the address 0x657CDE, and then set the expiration time of four tokens: stETH, Aave, PAXG, and LINK to December 12, 2025, 16:00:00 (UTC+8) and manipulated the expiration prices, profiting from the exploitation of the erroneous prices.

It is noteworthy that when the project party's contract was created, the _transferOwnership status value of the attack address had already been set to true, allowing it to pass the contract security checks. Analysis shows that this attack address was likely one of the project party's management addresses, which was later controlled by hackers through social engineering attacks and other means to carry out this attack.