Key Highlights
- CertiK reported an attack estimated at $7.6 million on Rhea Finance.
- The attack involved creating fake tokens and injecting liquidity into new pools to bypass validation checks.
- The exploit likely deceived Rhea Finance’s oracle and validation mechanisms, enabling unauthorized fund withdrawals.
Rhea Finance, a chain-abstracted DeFi hub built on the NEAR Protocol, has suffered a major security incident, according to blockchain security firm CertiK.
In an X post on Thursday, CertiK estimated total losses at around $7.6 million. The attacker reportedly drained funds by creating fake token contracts and injecting liquidity into newly created or “fresh” pools within the protocol.
This manipulation seems to have tricked Rhea Finance’s oracle and validation mechanisms, permitting unauthorized extraction of assets. Certik also highlighted the suspected attacker’s primary wallet or contract address on NEAR to be 31ac7a27….
Meanwhile, Tether CEO Paolo Ardoino, in an X post, stated that Tether froze approximately $3.29 million in USDT linked to the attacker shortly after the exploit.
Temporary pause on the activity
Considering the matter, the Rhea team has temporarily paused the contracts till a thorough investigation. According to an update on X, the team noted, “The Rhea team is aware of an incident affecting the protocol. As a precautionary measure, we have temporarily paused the contracts while we conduct a thorough investigation.”
The team also assured that it is working closely with key partners, stakeholders, and security experts to minimize any potential risks.
Technical background
The platform enables users to trade, lend, borrow, provide liquidity, and farm across multiple chains, including Bitcoin, Ethereum, Solana, Arbitrum, Base, BSC, and TRON, without relying on bridges or wrapped assets. It uses native wallets enabled by NEAR’s chain signature feature, along with AI-based yield optimization and intent-based execution. The platform’s native token is RHEA.
On April 15, Rhea Finance updated with its Beta Multichain Airdrop on its platform, which offered a total of 400k plus 100k oRHEA in rewards.
Rising trend of security incidents
The exploit adds to a growing list of DeFi security breaches in 2026. In March 2026, CertiK highlighted 103 security incidents and 36 phishing scams in the crypto industry since the beginning of this year. Some major exploits reported by CertiK were Step Finance, which lost around $27 million, and Truebit, which lost about $26.6 million.
Some other losses included Resolv ($26.8M), Swapnet ($13.3M), and YieldBlox (around $10.5M). The combined losses from these incidents reached around $104 million, taking the broader estimate of around $480 million in total crypto losses year-to-date, as reported on March 27.
Meanwhile, exploits in April surged with major attacks, including Hyperbridge ($2.5M), Polkadot ($237k), Drift Protocol ($285M), and LML Staking Protocol ($950k).
Broader implications
The incident highlights ongoing vulnerabilities in DeFi systems, particularly around oracle design, liquidity validation, and token verification mechanisms. While blockchain transparency may assist in tracking funds, the use of fake tokens and newly created liquidity pools can complicate mitigation efforts and recovery.
Users are advised not to use Rhea Finance till the matter is completely resolved. Also, here is how users can remove tokens from Rhea Finance.
Also Read:Drift Switches to USDT in $147.5M Tether-Backed Relaunch Plan
