GoPlus: Ribbon Finance attack likely caused by "project team management address being compromised by hackers"

Jinse Finance reported that the GoPlus Chinese community posted an analysis on social media explaining the mechanism behind the attack on the decentralized options protocol Ribbon Finance. The attacker, using address 0x657CDE, upgraded the price proxy contract to a malicious implementation contract, then set the expiration date of four tokens—stETH, Aave, PAXG, and LINK—to December 12, 2025, 16:00:00 (UTC+8) and tampered with the expiration prices, exploiting the incorrect prices to profit from the attack. Notably, when the project contract was created, the _transferOwnership status value of the attack address had already been set to true, allowing it to pass the contract's security checks. Analysis shows that this attack address may have originally been one of the project's management addresses, which was later taken over by a hacker through social engineering or other means and used to carry out this attack.