- Rhea Finance lost at least $7.6 million after an incident that CertiK said affected the protocol.
- The attacker allegedly created fake token contracts and added liquidity to fresh pools, likely misleading the oracle and validation layer.
- Paolo Ardoino said Tether froze about $3.29 million USDT linked to the attacker.
Rhea Finance suffered a suspected exploit that drained at least $7.6 million after an attacker appeared to have manipulated the protocol’s oracle and validation layer. The incident was first flagged by CertiK Alert on X, which said the attacker created fake token contracts and added liquidity in fresh pools, likely deceiving the system into approving unauthorized withdrawals.
The exploit appears to center on a classic DeFi weakness. By seeding new liquidity pools with fraudulent token contracts, the attacker may have distorted the protocol’s pricing and verification logic long enough to move real assets out of the system. Reports on the incident say the stolen assets included USDC, USDT, ZEC, and NEAR.
Fake Token Pools Tricked Core Protocol Checks
The alleged method is notable since it did not rely on a simple private key compromise. Instead, the attacker appears to have exploited trust in the protocol’s internal validation process. CertiK’s description points to manipulated pool creation and liquidity injection as the trigger that misled the oracle and allowed assets to be extracted.
Oracle and validation design remain among the most fragile parts of DeFi infrastructure. When a protocol accepts false liquidity or distorted pricing signals, attackers can create conditions where fake market data unlocks real funds. In Rhea Finance’s case, the use of fresh pools suggests the exploit targeted the system before those markets could mature or be stress-tested.
Frozen Funds Reduce Part of the Damage
Paolo Ardoino said Tether froze roughly $3.29 million in USDT linked to the attacker shortly after the exploit. That does not erase the damage, but it may improve the odds of partial recovery if authorities or the protocol later pursue restitution.
However, a large amount still appears to have moved beyond that frozen portion. At the time of reporting, the estimated loss remained at about $7.6 million, and the full path of the stolen funds had not yet been resolved publicly.
Pressure Lands on NEAR DeFi Security
Rhea Finance plays a central role in the NEAR ecosystem. Reporting on the incident described it as one of the network’s main DeFi hubs, which means the breach lands at an infrastructure level rather than at the edge of the ecosystem.
Additionally, the attack adds to the growing list of 2026 DeFi security failures tied to validation logic, liquidity assumptions, and oracle design. Rhea Finance now joins a broader pattern in which sophisticated attackers keep targeting the weakest layer between market data and asset movement.
Related: Brazil Targets R$1.6 Billion Crypto-Laundering Network in Narco-Fluxo Raid
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
