Rhea Finance Exploited for $7.6M via Fake Token Attack

Security firm CertiK flagged the Rhea Finance exploit through its official X account. The alert described how counterfeit tokens and fresh liquidity pools misled Rhea’s pricing layer. CertiK also shared the attacker’s address, and the full transaction trail is visible on NEARBlocks.

How the Rhea Finance Exploit Worked

The attacker first deployed fake token contracts on NEAR. Then, those counterfeit assets were paired with legitimate tokens inside new liquidity pools.

Because Rhea’s oracle relied on recent price and liquidity data, the fresh pools produced a convincing but artificial price signal. Consequently, the validation layer accepted the distorted data at face value.

Once inside the system, the attacker borrowed or swapped against inflated valuations. In turn, the protocol’s reserves treated the positions as properly collateralized. Roughly $7.6 million flowed into the attacker-controlled address before detection.

Notably, the entire sequence required no private-key compromise. It also did not rely on flash-loan sophistication beyond the initial deployment. The attacker only needed to create and fund pools faster than the oracle’s update window.

Because the pools were brand new, there was no historical on-chain activity to flag the anomaly. Most DeFi oracles weight recent trades and liquidity depth when pricing assets. By flooding new pools with fake tokens and real collateral, the attacker created a temporary but convincing price feed. The validation contracts then authorized withdrawals that appeared properly backed on paper.

What Is Rhea Finance

Rhea Finance emerged in 2025 as the merger of Ref Finance and Burrow Finance. Specifically, Ref Finance was NEAR’s original leading DEX. Meanwhile, Burrow Finance was the chain’s top lending protocol.

Together, the combined platform operates as a chain-abstracted liquidity hub. Users can trade, lend, and farm across NEAR, Bitcoin, Base, Arbitrum, and TRON from a single interface. In addition, it runs on NEAR’s intent-based architecture and chain signatures for cross-chain self-custody.

By early 2026, Rhea had grown into one of NEAR’s most complete DeFi environments. It offered unified access to spot markets, perpetuals, and borrowing under one set of smart contracts. The protocol had also positioned itself as a flagship example of NEAR’s chain-abstraction vision.

Why This Exploit Matters for Chain Abstraction

This incident strikes at the core of chain-abstraction promises. In particular, protocols like Rhea market themselves as simplifying multi-chain DeFi through oracles and validation layers.

When those layers can be gamed by low-effort fake liquidity, however, the abstraction becomes a liability. NEAR has promoted its intent-centric design as more resilient than traditional bridges. Yet this Rhea Finance exploit proves that pool-based price data remains vulnerable to artificial liquidity attacks.

The attack pattern is not new, either. For example, Mango Markets lost $114 million in October 2022 through a similar oracle manipulation scheme. Cream Finance and Harvest Finance also suffered comparable exploits. As a result, the persistence of this vector suggests oracle manipulation remains unsolved at a fundamental level.

The Rhea Finance exploit also adds to a growing tally of DeFi losses in 2026. This year has already seen repeated high-value incidents that have strained user confidence. For institutional investors considering on-chain liquidity hubs, each new exploit raises the bar for security assurances.

Early Signs of Partial Fund Return

Meanwhile, community observers have noted on-chain activity suggesting partial fund returns. Some records reportedly show reversals to Rhea-linked addresses.

If confirmed, the net loss could shrink significantly. Similar patterns appeared in past incidents like the Euler Finance hack, where negotiated returns reduced the final damage. In that case, the attacker returned nearly all stolen funds after on-chain negotiations.

So far, Rhea Finance has not issued an official post-mortem or pause announcement. Typically, standard procedure involves freezing affected contracts and notifying users. The team would also coordinate with NEAR core contributors and security firms for forensic review.

NEAR’s ecosystem has weathered past incidents through rapid community coordination. The same recovery model is already being discussed in replies to CertiK’s original alert on X.

Loading chart...

What Comes Next for Rhea Finance

The protocol’s response speed will determine the outcome. If the returned funds materialize, Rhea may recover most of the loss. Otherwise, the team will likely tap insurance reserves or community governance for compensation.

For users, the immediate risk is contained to the exploited pools. Still, broader TVL could see outflows as participants reassess oracle-related exposure across NEAR.

Longer term, this episode will push Rhea to harden its oracle logic. Possible fixes include requiring longer price history and multi-source aggregation. On-chain proof-of-reserves checks before accepting new-pool data could also help. Some protocols have already adopted time-weighted average prices (TWAPs) to resist short-term manipulation.

The $7.6 million figure is material but small relative to Rhea’s overall scale. Still, the narrative damage to trust in abstracted liquidity may outlast the financial impact.

The attacker address is public, and CertiK is tracking the case. The DeFi security cycle of exploit, alert, investigation, and potential refund has begun once again.