Verify a decision

{"actor":"system:backfill","investigation_id":"4a96af88-86dd-43ea-aa9a-acfba1b7ebc3","kind":"publish","page_slug":"rhea-finance-exploit-april-2026","published_at":"2026-06-08T01:22:09.568Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Rhea Finance Exploit (April 2026)","sections":[{"content":"Rhea Finance is a chain-abstracted DeFi protocol operating on the NEAR blockchain. It was formed in March 2025 through the merger of Ref Finance, NEAR's original leading decentralized exchange, and Burrow Finance, the chain's primary lending protocol. The combined platform offers DEX swapping, lending and borrowing, margin trading, and cross-chain asset transfers spanning NEAR, Ethereum Virtual Machine (EVM) chains, Solana, and Bitcoin. Its native token is $RHEA, consolidating the predecessor tokens $REF and $BRRR. Prior to the April 2026 exploit, Rhea Finance held approximately 95% of NEAR's total DeFi value locked, making it critical infrastructure for the ecosystem. The protocol had listed security auditors Blocksec, Slowmist, and Immunefi as partners. The platform reported $10 billion in total volume for 2025.","heading":"Protocol Background","severity":"low","sources":[{"credibility":2,"name":"Ref Finance and Burrow Finance Merge to Launch Rhea Finance – Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/ref-finance-and-burrow-finance-merge-to-launch-rhea-finance-the-chain-abstracted-liquidity-solution/"},{"credibility":2,"name":"RHEA Finance – IQ.wiki","type":"other","url":"https://iq.wiki/wiki/rhea-finance"},{"credibility":3,"name":"NEAR Protocol on X: 2025 RHEA Recap","type":"social_media","url":"https://x.com/NEARProtocol/status/2006204832634249293"},{"credibility":2,"name":"NEAR Protocol DeFi Hub Rhea Finance Loses $7.6 Million in Oracle Exploit – CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/near-protocol-defi-hub-rhea-finance-loses-7-6-million-in-oracle-exploit/"}]},{"content":"On April 16, 2026, CertiK first reported the exploit via a post on X, initially placing losses at approximately $7.6 million. Rhea Finance subsequently released an internal investigation report revising total losses upward to approximately $18.4 million — more than double the initial estimate. The revision reflected the full depletion of the protocol's reserve pool across both the DEX and lending components. The attack affected a range of assets including USDC, USDT, Zcash (ZEC), and NEAR. Rhea Finance immediately paused lending contracts upon confirming the breach.","heading":"Attack Overview and Revised Loss Estimate","severity":"critical","sources":[{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":1,"name":"Rhea Finance post-mortem puts exploit losses at $18.4 million, more than double initial estimates – The Block","type":"news_article","url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"credibility":2,"name":"Rhea Finance Devastated by $18.4M Hack: Slippage Flaw Drains Protocol Reserves – MEXC News","type":"news_article","url":"https://www.mexc.com/news/1036012"},{"credibility":2,"name":"Crypto Hack: NEAR Protocol's Rhea Finance Loses $18.4M in Exploit – The Coin Republic","type":"news_article","url":"https://www.thecoinrepublic.com/2026/04/18/crypto-hack-near-protocols-rhea-finance-loses-18-4m-in-exploit/"},{"credibility":2,"name":"Rhea Finance exploited for $18.4 million, some recovered – Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/rhea-finance-exploit"}]},{"content":"According to Rhea Finance's post-mortem and independent analysis by Halborn and CertiK, the exploit was a two-phase operation executed over approximately two to three days. Phase 1 (April 13–15, 2026): The attacker funded a primary wallet through cross-chain transfers and distributed funds across 423 unique intermediary wallets in rapid automated succession. The attacker then deployed purpose-built fake token contracts that exposed no standard metadata, and created eight new trading pools on the embedded Ref Finance DEX, pairing fake tokens against USDC, USDT, and wNEAR at artificially controlled price ratios. By conducting trades within these pools, the attacker generated an on-chain price history that the protocol's oracle — which relied on recent trade activity rather than time-weighted averages or minimum token age requirements — accepted as legitimate. Phase 2 (April 16, 2026): The attacker exploited a critical flaw in Rhea Finance's slippage protection mechanism within the margin trading module. The protection system summed expected outputs across all sequential swap steps to verify that users received fair value. The flaw was that the system counted the same token value twice across sequential steps. The attacker constructed a swap path such that Step 1 converted 1,000 USDC into 999 AttackerToken and Step 2 converted 999 AttackerToken back into 1 USDC. The slippage check registered a total output of 1,000 (summing across steps), but only 1 USDC was actually returned to the protocol while 999 USDC remained in the attacker's fake pool. This structure allowed the attacker to open large margin trading positions, funnel borrowed debt tokens into attacker-controlled pools, and trigger undercollateralized liquidations that drained the protocol's reserve pool. Halborn noted similarity to the 2023 KyberSwap exploit ($54.7 million), which used the same sequential value-counting vulnerability. The technique also bears resemblance to the 2022 Mango Markets oracle manipulation ($114 million).","heading":"Attack Method: Two-Phase Fake Token and Slippage Bypass","severity":"critical","sources":[{"credibility":1,"name":"Explained: The Rhea Finance Hack (April 2026) – Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-rhea-finance-hack-april-2026"},{"credibility":2,"name":"$18.4M Rhea Finance Hack Built Over Two Days, Post-Mortem Reveals – CoinEdition","type":"news_article","url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M, confirms slippage flaw – AMBCrypto","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":2,"name":"Rhea Finance Investigation Report – PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/019d9e7e-3b97-719c-bef3-f6b28974824c"}]},{"content":"CertiK identified the primary attacker wallet or contract address on NEAR as beginning with '31ac7a27', though the full address was not published in available reports. According to Rhea Finance's post-mortem, the protocol shared two addresses linked to the attacker: one on the Ethereum network and one on NEAR. These addresses were disclosed publicly to support tracking by centralized exchanges and investigators. The Near Intents team stated it had identified the attacker and suggested the individual may have a public presence on X (formerly Twitter). A formal trace was opened with centralized exchanges to identify the account holder. The specific full wallet addresses had not been published in any source available to this investigation.","heading":"Attacker Identification and Addresses","severity":"high","sources":[{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":1,"name":"Rhea Finance post-mortem puts exploit losses at $18.4 million – The Block","type":"news_article","url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"credibility":2,"name":"Hacker Returns All The Funds to Rhea Finance: Fact Check – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"}]},{"content":"Partial recovery of stolen assets occurred through three channels as of late April 2026. First, the attacker voluntarily deposited approximately $3.359 million USDC and 1.564 million NEAR (combined estimated value approximately $3.4–3.5 million) back into Rhea Finance's lending contract. Second, Tether CEO Paolo Ardoino publicly confirmed that Tether froze $3.291 million USDT directly in the attacker's wallet using contract-level controls, preventing the funds from being transferred through decentralized exchanges or bridges. A further $1.053 million USDT was frozen in NEAR Intents, bringing total USDT freezes to approximately $4.34 million. Third, on-chain evidence indicated approximately $3.5 million in Ethereum transfers and 13,500 ZEC (valued at approximately $4.44 million) were identified in transit, though recovery of these funds was not confirmed. In aggregate, approximately $9 million of the $18.4 million total loss was recovered or frozen. Approximately $8–9 million remained outstanding. Claims circulating on social media that 'all funds were returned' have been assessed as partly false by fact-checkers; the recovery is real but incomplete.","heading":"Fund Recovery and Tether Freeze","severity":"high","sources":[{"credibility":2,"name":"Tether Freezes $3.29M USDT Tied To Rhea Finance Exploit – TronWeekly","type":"news_article","url":"https://www.tronweekly.com/tether-freezes-3-29m-to-rhea-finance-exploit/"},{"credibility":2,"name":"Tether Blocks $3.29M USDT Linked To Rhea Finance Exploit – CryptoNews","type":"news_article","url":"https://cryptonews.net/news/security/32722910/"},{"credibility":2,"name":"Hacker Returns All The Funds to Rhea Finance: Fact Check – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M – AMBCrypto","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":2,"name":"Tether Freezes $3.29M USDT After Rhea Finance Hack Alert – MEXC News","type":"news_article","url":"https://www.mexc.com/news/1035379"}]},{"content":"The NEAR token declined approximately 3.5% in the period following the exploit announcement, reflecting contagion risk from Rhea Finance's position as the dominant DeFi protocol on the NEAR chain. Rhea Finance's native $RHEA token reportedly dropped approximately 8% at initial news of the exploit. Rhea Finance held approximately 95% of NEAR's total value locked prior to the incident, meaning the exploit represented a significant systemic shock to the NEAR DeFi ecosystem. The lending contracts were paused pending investigation, preventing further withdrawals and restricting user access. The protocol stated it was working with key partners, stakeholders, and security experts to minimize potential risks. No third-party security firm published a complete independent audit of the post-mortem as of the sources reviewed for this investigation.","heading":"Protocol and Market Impact","severity":"high","sources":[{"credibility":2,"name":"NEAR Drops 3.5% Amid Rhea Finance Exploit and Market Shifts – CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/top-stories/69e38f7ba32c5611bd480fa7/"},{"credibility":3,"name":"RHEA Finance Hacked $7.6M Gone in Seconds as Token Crashes 8% – HokaNews","type":"news_article","url":"https://www.hokanews.com/2026/04/rhea-finance-hacked-76m-gone-in-seconds.html"},{"credibility":2,"name":"Rhea Finance hit by $7.6M exploit as attacker manipulates liquidity pools – MEXC News","type":"news_article","url":"https://www.mexc.com/news/1032917"},{"credibility":2,"name":"NEAR Protocol DeFi Hub Rhea Finance Loses $7.6 Million in Oracle Exploit – CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/near-protocol-defi-hub-rhea-finance-loses-7-6-million-in-oracle-exploit/"}]},{"content":"The Rhea Finance exploit reflects two persistent vulnerability classes in DeFi. The oracle manipulation component — using newly seeded fake token pools to create synthetic price histories — echoes the Mango Markets exploit (October 2022, $114 million) and Harvest Finance and Cream Finance incidents. The slippage protection bypass, in which the same token value is counted twice across sequential swap steps, mirrors the KyberSwap exploit of 2023 ($54.7 million). Security researchers have repeatedly noted that protocols relying on spot price data from recent trade activity without minimum token age, minimum liquidity thresholds, or time-weighted average price (TWAP) windows remain vulnerable to this class of attack. Halborn's post-incident analysis identified the Rhea Finance case as illustrating a 'composite' exploit that combined both oracle manipulation and validation logic flaws into a single attack path, raising the total impact beyond what either vector alone would have achieved.","heading":"Broader Context: Oracle and Slippage Vulnerabilities in DeFi","severity":"medium","sources":[{"credibility":1,"name":"Explained: The Rhea Finance Hack (April 2026) – Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-rhea-finance-hack-april-2026"},{"credibility":2,"name":"400M+ Lost to DeFi Exploits in 2026 – CCN","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-2026-137m-lost-step-finance-truebit-resolv-exploits/"},{"credibility":2,"name":"Weekly Incident Report: April 13–18, 2026 – Recoveris","type":"research","url":"https://recoveris.io/weekly-incident-report-april-13-18-2026/"}]}],"sources_used":[{"credibility":1,"name":"Explained: The Rhea Finance Hack (April 2026) – Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-rhea-finance-hack-april-2026"},{"credibility":1,"name":"Rhea Finance post-mortem puts exploit losses at $18.4 million – The Block","type":"news_article","url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"credibility":2,"name":"Rhea Finance Loses $7.6M in Exploit, Says CertiK – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"credibility":2,"name":"Hacker Returns All The Funds to Rhea Finance: Fact Check – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"},{"credibility":2,"name":"$18.4M Rhea Finance Hack Built Over Two Days, Post-Mortem Reveals – CoinEdition","type":"news_article","url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"credibility":2,"name":"Rhea Finance revises exploit losses to $18.4M, confirms slippage flaw – AMBCrypto","type":"news_article","url":"https://ambcrypto.com/rhea-finance-revises-exploit-losses-to-18-4m-confirms-slippage-flaw-as-funds-partially-recovered/"},{"credibility":2,"name":"Tether Freezes $3.29M USDT Tied To Rhea Finance Exploit – TronWeekly","type":"news_article","url":"https://www.tronweekly.com/tether-freezes-3-29m-to-rhea-finance-exploit/"},{"credibility":2,"name":"Tether Blocks $3.29M USDT Linked To Rhea Finance Exploit – CryptoNews","type":"news_article","url":"https://cryptonews.net/news/security/32722910/"},{"credibility":2,"name":"Tether Freezes $3.29M USDT After Rhea Finance Hack Alert – MEXC News","type":"news_article","url":"https://www.mexc.com/news/1035379"},{"credibility":2,"name":"Rhea Finance Devastated by $18.4M Hack: Slippage Flaw – MEXC News","type":"news_article","url":"https://www.mexc.com/news/1036012"},{"credibility":2,"name":"Crypto Hack: NEAR Protocol's Rhea Finance Loses $18.4M – The Coin Republic","type":"news_article","url":"https://www.thecoinrepublic.com/2026/04/18/crypto-hack-near-protocols-rhea-finance-loses-18-4m-in-exploit/"},{"credibility":2,"name":"Rhea Finance Investigation Report – PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/019d9e7e-3b97-719c-bef3-f6b28974824c"},{"credibility":2,"name":"Rhea Finance exploited for $18.4 million, some recovered – Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/rhea-finance-exploit"},{"credibility":2,"name":"NEAR Drops 3.5% Amid Rhea Finance Exploit – CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/top-stories/69e38f7ba32c5611bd480fa7/"},{"credibility":2,"name":"Rhea Finance hit by $7.6M exploit as attacker manipulates liquidity pools – MEXC News","type":"news_article","url":"https://www.mexc.com/news/1032917"},{"credibility":2,"name":"NEAR Protocol DeFi Hub Rhea Finance Loses $7.6 Million – CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/near-protocol-defi-hub-rhea-finance-loses-7-6-million-in-oracle-exploit/"},{"credibility":2,"name":"400M+ Lost to DeFi Exploits in 2026 – CCN","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-2026-137m-lost-step-finance-truebit-resolv-exploits/"},{"credibility":2,"name":"Weekly Incident Report: April 13–18, 2026 – Recoveris","type":"research","url":"https://recoveris.io/weekly-incident-report-april-13-18-2026/"},{"credibility":2,"name":"Rhea Finance Exploit Drains $7.6M – EtherWorld","type":"news_article","url":"https://etherworld.co/rhea-finance-exploit-drains-7-6m/"},{"credibility":2,"name":"Rhea Finance Exploit: $7.6M Drained via Fake Token Pools – Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/rhea-finance-exploit-7-6m-drained-via-fake-token-pools/"},{"credibility":2,"name":"RHEA Finance – IQ.wiki","type":"other","url":"https://iq.wiki/wiki/rhea-finance"},{"credibility":2,"name":"Ref Finance and Burrow Finance Merge to Launch Rhea Finance – Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/ref-finance-and-burrow-finance-merge-to-launch-rhea-finance-the-chain-abstracted-liquidity-solution/"},{"credibility":2,"name":"Rhea Finance DeFi Protocol Hacked for $7.6 Million – Phemex News","type":"news_article","url":"https://phemex.com/news/article/rhea-finance-defi-protocol-hacked-for-76-million-73756"},{"credibility":2,"name":"Rhea Finance Devastated by $7.6M Hack via Oracle Attack – CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/742da-rhea-finance-defi-hack-exploit"}],"summary":"On April 16, 2026, Rhea Finance — the leading DeFi hub on the NEAR blockchain, formed by the March 2025 merger of Ref Finance and Burrow Finance — was exploited for an estimated $18.4 million (initially reported as $7.6 million) via a two-phase attack combining fake token pool seeding with a slippage-protection bypass in its margin trading module. Approximately $9 million in assets was subsequently recovered or frozen, including $3.291 million USDT frozen by Tether, leaving an estimated $8–9 million outstanding as of late April 2026.","timeline":[{"date":"2025-03-01","event":"Ref Finance and Burrow Finance announce merger to form Rhea Finance, the chain-abstracted DeFi hub on NEAR Protocol.","source":"Bitcoin.com News","source_url":"https://news.bitcoin.com/ref-finance-and-burrow-finance-merge-to-launch-rhea-finance-the-chain-abstracted-liquidity-solution/"},{"date":"2026-04-13","event":"Alleged attacker begins preparation phase: funds primary wallet via cross-chain transfers, distributes funds across 423 intermediary wallets, deploys fake token contracts, and creates eight fraudulent trading pools on Ref Finance.","source":"CoinEdition / Rhea Finance Post-Mortem","source_url":"https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/"},{"date":"2026-04-16","event":"Exploit executed: attacker uses slippage protection bypass in margin trading module to drain the protocol's reserve pool. Initial losses estimated at $7.6 million by CertiK. Rhea Finance pauses lending contracts.","source":"CryptoTimes / CertiK","source_url":"https://www.cryptotimes.io/2026/04/16/rhea-finance-loses-7-6m-in-exploit-says-certik/"},{"date":"2026-04-16","event":"Tether CEO Paolo Ardoino confirms Tether froze $3.291 million USDT in the attacker's wallet. A further $1.053 million USDT frozen in NEAR Intents.","source":"TronWeekly / MEXC News","source_url":"https://www.tronweekly.com/tether-freezes-3-29m-to-rhea-finance-exploit/"},{"date":"2026-04-17","event":"Rhea Finance publishes preliminary analysis. Recovery efforts begin; protocol works with centralized exchanges and security experts.","source":"CryptoTimes Fact-Check","source_url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"},{"date":"2026-04-18","event":"Rhea Finance releases full post-mortem revising total losses to $18.4 million. Attacker identified as having returned approximately $3.359 million USDC and 1.564 million NEAR to the lending contract. Near Intents team states attacker has been identified; formal CEX tracing initiated.","source":"The Block / AMBCrypto / The Coin Republic","source_url":"https://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates"},{"date":"2026-04-18","event":"CryptoTimes fact-check rates as 'partly true' claims that all funds were returned. Total recovered or frozen approximately $9 million of $18.4 million; approximately $8–9 million remains outstanding.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/04/18/hacker-returns-all-the-funds-to-rhea-finance-fact-check/"}]},"v":1}