Verify a decision

{"actor":"system:backfill","investigation_id":"75e439fb-33ad-4ea1-b87d-51dc3e5ec7f7","kind":"publish","page_slug":"rhea-finance","published_at":"2026-06-19T12:12:11.635Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Rhea Finance","sections":[{"content":"Rhea Finance was formed in early 2025 through the merger of Ref Finance, NEAR Protocol's primary decentralized exchange, and Burrow Finance, its main lending protocol. The combined entity markets itself as a unified, chain-abstracted liquidity hub offering trading, lending, and cross-chain asset management. According to NEAR Protocol's official X account, the platform processed $10 billion in total volume during 2025 and offered cross-chain interoperability spanning Zcash, Solana, Arbitrum, and Bitcoin. The native token, RHEA, replaced the predecessor tokens REF and BRRR following the merger. Rhea Finance was listed on exchanges including Bitget and LBank following the merger.","heading":"Protocol Background","severity":"low","sources":[{"credibility":3,"name":"NEAR Protocol on X: 2025 RHEA Recap","type":"social_media","url":"https://x.com/NEARProtocol/status/2006204832634249293"},{"credibility":2,"name":"One Protocol, Unified Power — The New RHEA Finance (Medium)","type":"official","url":"https://rhea-finance.medium.com/one-protocol-unified-power-the-new-rhea-finance-a50b04170bcd"},{"credibility":3,"name":"Bitget Lists Rhea Finance (RHEA) for Spot Trading Following Protocol Merger","type":"news_article","url":"https://www.ainvest.com/news/bitget-lists-rhea-finance-rhea-spot-trading-protocol-merger-2507/"}]},{"content":"On April 16, 2026, Rhea Finance was exploited through a vulnerability in the slippage protection mechanism of its margin trading module. Security firm CertiK was among the first to publicly flag the incident, initially reporting losses of approximately $7.6 million. Following an internal post-mortem, Rhea Finance revised the total loss to $18.4 million — more than double the initial estimate — confirming that the magnitude of the drain had not been fully captured in early on-chain assessments. The exploit is among the largest single-protocol losses on the NEAR blockchain to date.","heading":"April 2026 Exploit — Overview","severity":"critical","sources":[{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK (Crypto Times)","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":1,"name":"Rhea Finance post-mortem puts exploit losses at $18.4 million, more than double initial estimates (The Block)","type":"news_article","url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"credibility":2,"name":"Crypto Hack: NEAR Protocol's Rhea Finance Loses $18.4M in Exploit (The Coin Republic)","type":"news_article","url":"https://www.thecoinrepublic.com/2026/04/18/crypto-hack-near-protocols-rhea-finance-loses-18-4m-in-exploit/"}]},{"content":"The root cause of the exploit was a logic flaw in how the margin trading module aggregated minimum output values (min_amount_out) across multi-step swap actions. The system summed expected output values across all swap steps but did not account for scenarios in which the output token of one step was reused as the input of the subsequent step. By constructing a swap chain that reused an intermediate asset, the attacker caused the slippage check to see an artificially inflated aggregate output that appeared to satisfy validation thresholds. A simplified illustration of the logic error: Step 1 converted 1,000 USDC into 999 AttackerToken with a minimum output of 999; Step 2 converted 999 AttackerToken back into 1 USDC with a minimum output of 1. The slippage aggregator summed 999 and 1 and treated the transaction as valid, while the attacker effectively extracted nearly all of the borrowed value. Using this mechanism, the attacker redirected borrowed debt tokens into fake token pools they controlled, leaving the protocol holding illiquid positions and triggering cascading liquidations that drained the reserve pool.","heading":"Technical Vulnerability — Slippage Protection Bypass","severity":"critical","sources":[{"credibility":2,"name":"$18.4M Rhea Finance Hack Built Over Two Days, Post-Mortem Reveals (Coin Edition)","type":"news_article","url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M, confirms slippage flaw as funds partially recovered (AMBCrypto)","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":2,"name":"Rhea Finance Exploit Results in $18.4 Million Loss (Phemex)","type":"news_article","url":"https://phemex.com/news/article/rhea-finance-suffers-184-million-exploit-due-to-slippage-protection-flaw-74100"},{"credibility":2,"name":"Explained: The Rhea Finance Hack, April 2026 (Halborn)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-rhea-finance-hack-april-2026"}]},{"content":"Post-mortem analysis revealed that the attacker spent approximately two days preparing the exploit infrastructure before executing the drain. Between April 13 and 15, 2026, the attacker created a subject wallet and distributed funds across 423 unique intermediary wallets to obscure the trail. The attacker also deployed purpose-built fake token contracts lacking standard metadata, established eight new trading pools on Ref Finance pairing fake tokens against USDC, USDT, and wNEAR at artificially controlled price ratios, and constructed a custom swap router connecting these fake pools. The exploit was then executed on April 16, 2026. The suspected attacker address on the NEAR blockchain begins with 31ac7a27. Aurora Labs and Near Intents co-founder Alex Shevchenko subsequently sent an on-chain message to the attacker stating that the team had identified them and their associated accounts, and calling for the return of remaining funds. The Near Intents team also opened formal traces with centralized exchanges to identify the account holder.","heading":"Attacker Preparation and Execution","severity":"critical","sources":[{"credibility":2,"name":"$18.4M Rhea Finance Hack Built Over Two Days, Post-Mortem Reveals (Coin Edition)","type":"news_article","url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK (Crypto Times)","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":2,"name":"Rhea Finance investigation report via PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/019d9e7e-3b97-719c-bef3-f6b28974824c"}]},{"content":"Following the exploit, partial recovery efforts yielded meaningful results. The attacker voluntarily returned approximately $3.359 million in USDC and $1.564 million in NEAR to Rhea Finance's lending contract. Additionally, Tether CEO Paolo Ardoino confirmed that approximately $3.29 million in USDT linked to the attacker was frozen — raising the total of recovered or frozen funds to roughly $9.2 million against the revised $18.4 million total loss. On-chain evidence also showed approximately $3.5 million in Ethereum transfers and 13,500 ZEC (worth roughly $4.4 million at the time) potentially linked to the attacker's proceeds, though the disposition of these funds remained under investigation. A fact-check by Crypto Times found that claims of full fund recovery circulating on social media were unverified; the official position as of the post-mortem was that substantial losses remained outstanding.","heading":"Fund Recovery and Freezing","severity":"high","sources":[{"credibility":2,"name":"Hacker Returns All The Funds to Rhea Finance: Fact Check (Crypto Times)","type":"news_article","url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M, confirms slippage flaw as funds partially recovered (AMBCrypto)","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":2,"name":"NEAR Protocol DeFi Hub Rhea Finance Loses $7.6 Million in Oracle Exploit (BeInCrypto)","type":"news_article","url":"https://beincrypto.com/rhea-finance-near-exploit-oracle/"}]},{"content":"Immediately following detection of the exploit on April 16, 2026, Rhea Finance paused affected lending contracts to prevent further losses. The team engaged external security teams for forensic analysis, initiated centralized exchange tracing to identify the attacker, and attempted direct negotiations to recover the remaining outstanding funds. A post-mortem report was published revising total losses to $18.4 million and identifying the slippage protection flaw as the root cause. The team announced that a compensation and recovery framework was under development, to be funded through reserve funds and operational resources. As of the post-mortem date, no specific timeline or allocation details for the compensation plan had been publicly disclosed. Alex Shevchenko was quoted as acknowledging the partial return of funds, stating on-chain: 'This was the right thing to do, sir. Thanks for returning the money.'","heading":"Protocol Response and Compensation Framework","severity":"high","sources":[{"credibility":1,"name":"Rhea Finance post-mortem puts exploit losses at $18.4 million, more than double initial estimates (The Block)","type":"news_article","url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M, confirms slippage flaw as funds partially recovered (AMBCrypto)","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":2,"name":"Hacker Returns All The Funds to Rhea Finance: Fact Check (Crypto Times)","type":"news_article","url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"}]},{"content":"The RHEA token declined approximately 8% in the immediate aftermath of the April 16 exploit, trading near $0.01019 with a market cap of approximately $2.03 million at the time of early reports. NEAR Protocol's native token also fell approximately 3.5% amid the incident and broader market conditions. The exploit drew wider attention to oracle and token validation vulnerabilities in DeFi protocols built on NEAR, and was cited alongside the Drift hack as part of a broader pattern of DeFi security failures in early 2026. The incident represented one of the largest single losses in the NEAR DeFi ecosystem to date.","heading":"Market and Ecosystem Impact","severity":"high","sources":[{"credibility":3,"name":"Rhea Finance Hack on NEAR Drain $7.6M: RHEA Token Price Dips (CoinGabbar)","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/rhea-finance-crypto-hack-update-near-defi-rhea-token-price-drop"},{"credibility":2,"name":"NEAR Drops 3.5% Amid Rhea Finance Exploit and Market Shifts (CoinMarketCap)","type":"news_article","url":"https://coinmarketcap.com/top-stories/69e38f7ba32c5611bd480fa7/"},{"credibility":2,"name":"$7.6M Rhea Finance Exploit Sees 3.29M USDT Frozen — So Why Did $230M Move Freely in Drift Hack? (CCN)","type":"news_article","url":"https://www.ccn.com/education/crypto/rhea-finance-hack-usdt-frozen-drift-usdc-exploit/"}]}],"sources_used":[{"credibility":2,"name":"Explained: The Rhea Finance Hack, April 2026 (Halborn)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-rhea-finance-hack-april-2026"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M, confirms slippage flaw as funds partially recovered (AMBCrypto)","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":1,"name":"Rhea Finance post-mortem puts exploit losses at $18.4 million, more than double initial estimates (The Block)","type":"news_article","url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"credibility":2,"name":"NEAR Protocol DeFi Hub Rhea Finance Loses $7.6 Million in Oracle Exploit (BeInCrypto)","type":"news_article","url":"https://beincrypto.com/rhea-finance-near-exploit-oracle/"},{"credibility":2,"name":"Crypto Hack: NEAR Protocol's Rhea Finance Loses $18.4M in Exploit (The Coin Republic)","type":"news_article","url":"https://www.thecoinrepublic.com/2026/04/18/crypto-hack-near-protocols-rhea-finance-loses-18-4m-in-exploit/"},{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK (Crypto Times)","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":2,"name":"Hacker Returns All The Funds to Rhea Finance: Fact Check (Crypto Times)","type":"news_article","url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"},{"credibility":2,"name":"$18.4M Rhea Finance Hack Built Over Two Days, Post-Mortem Reveals (Coin Edition)","type":"news_article","url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"credibility":2,"name":"Rhea Finance Exploit Results in $18.4 Million Loss (Phemex)","type":"news_article","url":"https://phemex.com/news/article/rhea-finance-suffers-184-million-exploit-due-to-slippage-protection-flaw-74100"},{"credibility":2,"name":"NEAR DROPS 3.5% Amid Rhea Finance Exploit and Market Shifts (CoinMarketCap)","type":"news_article","url":"https://coinmarketcap.com/top-stories/69e38f7ba32c5611bd480fa7/"},{"credibility":2,"name":"$7.6M Rhea Finance Exploit Sees 3.29M USDT Frozen (CCN)","type":"news_article","url":"https://www.ccn.com/education/crypto/rhea-finance-hack-usdt-frozen-drift-usdc-exploit/"},{"credibility":2,"name":"One Protocol, Unified Power — The New RHEA Finance (Medium)","type":"official","url":"https://rhea-finance.medium.com/one-protocol-unified-power-the-new-rhea-finance-a50b04170bcd"},{"credibility":2,"name":"Rhea Finance investigation report (PANews)","type":"news_article","url":"https://www.panewslab.com/en/articles/019d9e7e-3b97-719c-bef3-f6b28974824c"},{"credibility":3,"name":"NEAR Protocol on X: 2025 RHEA Recap","type":"social_media","url":"https://x.com/NEARProtocol/status/2006204832634249293"}],"summary":"Rhea Finance is a chain-abstracted DeFi liquidity hub on the NEAR Protocol, formed in early 2025 through the merger of Ref Finance and Burrow Finance. On April 16, 2026, the protocol suffered a major exploit in which an attacker bypassed slippage protection in its margin trading module using intermediate asset reuse across a chain swap path, ultimately draining an estimated $18.4 million from the reserve pool — more than double the initial $7.6 million estimate. Approximately $9.2 million was subsequently returned or frozen, with the remainder still outstanding as of mid-2026; a compensation framework was announced but had not been finalized at the time of publication.","timeline":[{"date":"2025-03-01","event":"Ref Finance and Burrow Finance announce merger to form Rhea Finance, NEAR Protocol's unified DeFi liquidity hub.","source":"Rhea Finance Medium / NEAR Protocol","source_url":"https://rhea-finance.medium.com/one-protocol-unified-power-the-new-rhea-finance-a50b04170bcd"},{"date":"2026-04-13","event":"Attacker begins exploit preparation: creates subject wallet, begins distributing funds across 423 intermediary wallets, deploys fake token contracts, and establishes eight fraudulent trading pools on Ref Finance.","source":"Coin Edition / Post-Mortem","source_url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"date":"2026-04-16","event":"Exploit executed: attacker exploits slippage protection bypass in Rhea Finance's margin trading module, draining the reserve pool. CertiK reports initial loss of approximately $7.6 million. Rhea Finance pauses lending contracts.","source":"Crypto Times / CertiK","source_url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"date":"2026-04-16","event":"Tether CEO Paolo Ardoino announces approximately $3.29 million in USDT connected to the attacker has been frozen.","source":"BeInCrypto","source_url":"https://beincrypto.com/rhea-finance-near-exploit-oracle/"},{"date":"2026-04-17","event":"Rhea Finance releases post-mortem revising total losses upward to $18.4 million — more than double the initial estimate — and confirming the slippage protection flaw as root cause. Attacker returns approximately $3.359 million USDC and $1.564 million NEAR to lending contract.","source":"The Block / AMBCrypto","source_url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"date":"2026-04-18","event":"Aurora Labs and Near Intents co-founder Alex Shevchenko sends on-chain message to attacker stating identification and associated accounts have been traced; formal traces opened with centralized exchanges. Crypto Times fact-check finds claims of full fund recovery unverified.","source":"Crypto Times Fact Check / Coin Edition","source_url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"}]},"v":1}