Rhea Finance, the largest DeFi hub on NEAR Protocol, has confirmed that losses from its April 16 exploit total approximately $18.4 million, more than doubling the initial $7.6 million estimate flagged by blockchain security firm CertiK. The revised figure comes from a post-mortem published on April 18, which reveals the attacker exploited a slippage flaw in the protocolโs margin trading feature. Roughly $11.2 million in stolen assets has been returned or frozen, leaving an estimated $5.6 million still outstanding.
Fake Tokens, Forced Liquidations, Drained Reserves
The post-mortem reveals an attack that went deeper than the initial oracle manipulation reports suggested. The attacker used what Rhea described as a โdeliberately constructed swap routeโ to open a large number of margin trading positions. Borrowed debt tokens were funneled into fake token pools created by the attacker, while only a negligible amount of position tokens were returned to the protocol.
The positions were left undercollateralized, triggering a cascade of liquidations that depleted Rheaโs reserve pool. The mechanism combined two classic DeFi attack vectors: oracle manipulation through fake liquidity pools and a slippage flaw in the margin trading logic that allowed the attacker to route trades through pools they controlled. Stolen assets included USDC, USDT, ZEC, and NEAR.
Recovery Efforts: $11.2 Million Returned or Frozen
A significant portion of the stolen funds has already been recovered or frozen. The attacker returned roughly 3.36 million USDC and 1.56 million NEAR (worth approximately $3.5 million) directly to the protocol. Separately, Tether CEO Paolo Ardoino confirmed that $4.34 million in USDT linked to the attackerโs address has been frozen.
| Category | Amount |
|---|---|
| Total exploit losses (post-mortem) | $18.4 million |
| Initial estimate (CertiK) | $7.6 million |
| USDC returned by attacker | $3.36 million |
| NEAR returned by attacker | 1.56 million NEAR (~$3.5 million) |
| USDT frozen by Tether | $4.34 million |
| Total recovered / frozen | ~$11.2 million |
| Outstanding / unrecovered | ~$5.6 million (under investigation) |
Ardoinoโs comment that โTether takes this matter seriouslyโ was widely interpreted as a subtle contrast to Circleโs handling of the Drift Protocol exploit earlier this month, where the stablecoin issuer faced criticism for not freezing stolen USDC during an eight-hour bridging window.
On-Chain Warning: โWe Have Identified Youโ
Aurora Labs and Near Intents co-founder Alex Shevchenko sent the attacker a direct on-chain message warning that investigators had identified them and their associated accounts, and calling for the return of the remaining assets. The protocol has paused affected contracts and says it is working with centralized platforms and investigators to trace the outstanding $5.6 million. A compensation and recovery framework is in development, though no specific details have been released.
NEARโs DeFi Concentration Risk Exposed
Rhea Finance was formed in early 2025 through the merger of Ref Finance and Burrow Finance, combining NEARโs primary DEX and lending protocol into a single platform. At its peak, the protocol held more than 95% of NEARโs total DeFi TVL, according to DefiLlama data. That concentration means an exploit on Rhea does not just affect one protocol; it ripples across nearly the entire NEAR DeFi ecosystem.
DefiLlama currently shows Rhea Finance holding approximately $128 million in TVL, suggesting the $18.4 million exploit represents a significant but not catastrophic share of platform liquidity. The protocolโs lending and borrowing functions remain suspended while the security audit and fund tracing continue.
Oracle Attacks Continue to Plague DeFi in 2026
The Rhea exploit adds to a growing list of DeFi security failures in 2026 tied to oracle design, liquidity manipulation, and validation logic. The $285 million Drift Protocol hack earlier this month used a similar playbook, with attackers seeding a fake token with minimal liquidity to fool oracle feeds. While audits from firms like CertiK and Trail of Bits provide baseline security checks, the pattern of exploits targeting the gap between market data and asset movement suggests the industry still lacks adequate defenses against economically motivated attacks that manipulate the assumptions protocols rely on to function.
