Rhea Finance / Rhea Lend Exploit - April 2026
Overview
Rhea Finance, a NEAR Protocol lending and margin trading protocol, said an exploit drained approximately $18.4 million from its lending protocol on Thursday April 16, 2026, more than doubling early estimates that had pegged losses at around $7.6 million.
Attack Details
The updated figure comes from a post-mortem published Friday, where the Rhea team shared more details of the attack that targeted the protocol's margin trading feature. The Rhea team said the exploit manipulated liquidity pools and routed trades through fake tokens.
Between April 13 and 15 (two days before the heist), the attacker quietly built the infrastructure needed for the drain:
• Created a subject wallet funded through cross-chain transfers
• Distributed funds across 423 unique intermediary wallets in rapid automated succession
• Deployed purpose-built fake token contracts that exposed no standard metadata
• Created eight new trading pools on Ref Finance pairing fake tokens against USDC, USDT, and wNEAR at artificially controlled price ratios
• Built a swap router connecting these fake pools as the attack vector
Root Cause
The exploit targeted the protocol's margin trading feature, exploiting a weakness in the slippage protection mechanism to drain funds from the reserve pool. The system aggregated expected output values across multiple swap steps without accounting for cases in which tokens were reused across transactions. This allowed the attacker to construct a series of swaps that bypassed the intended slippage protection, diverting borrowed assets into attacker-controlled liquidity pools.
Financial Impact
• Total loss: ~$18.4 million (initial estimates were ~$7.6m)
• Recovery: ~$11.2 million in assets returned or frozen
• Of the $18.4M, roughly $9 million already recovered/frozen, including $3.29M USDT frozen by Tether directly in the attacker's wallet
• NEAR token dropped 3.5% on the news
Sources