Rhea Finance lost $7.6M in a margin trading exploit. Attackers used fake token pools to manipulate oracles. Here’s what happened.
Rhea Finance suffered a major security breach this week. Attackers drained at least $7.6 million from the protocol.
The incident targeted the platform’s margin trading feature. Blockchain security firm CertiK flagged the attack in a public alert. Recovery efforts are now underway.
Related reading:
Russia’s Grinex Hit by $13M Crypto Hack, Trading Suspended
How the Rhea Finance Attack Unfolded
According to CertiK, the attacker created fake token contracts. They then added liquidity to freshly created pools. This likely misled Rhea’s oracle and validation layer.
The manipulation gave the attacker leverage to siphon funds from the protocol.
We have seen an incident affecting @rhea_finance
The attacker created fake token contracts and added liquidity in fresh pools, likely misleading the oracle and validation layer.
In total, at least ~$7.6M was extracted
— CertiK Alert (@CertiKAlert) April 16, 2026
Rhea Finance confirmed the exploit on its official channels. Additionally, the team identified a vulnerability in its Margin Trading feature.
Attackers used this weakness to execute a coordinated pool manipulation attack. The Rhea Lend smart contract took the direct hit.
Notably, the Rhea DEX contract was not affected. Moreover, the team clarified that rNEAR also remained untouched. Both contracts are currently paused as a protective measure.
The pause specifically targets safeguarding the Rhea Lend side of the protocol.
Funds Being Tracked Across ETH and NEAR
Rhea Finance shared two addresses linked to the attacker.
One sits on the Ethereum network, the other on NEAR. The team published both addresses publicly to support tracking efforts. Hence, this move signals active coordination with the broader crypto security community.
Funds are actively being recovered and the team is in communication with the involved party regarding the return of the remaining funds.
The addresses currently being tracked include:
• ETH:— Rhea Finance (@rhea_finance) April 17, 2026
The Rhea team also reached out to the attacker through an on-chain transaction. Negotiations around returning the remaining funds are ongoing.
A leading security team now supports forensic investigation and fund tracking. Besides, law enforcement has also been notified.
NEAR Intents responded swiftly to the situation. Activity on NEAR Intents and near.com was temporarily paused.
The pause came as a precaution while the team assessed linked transactions. Additionally, NEAR Intents confirmed no user funds on its platform were lost or stolen.
What Comes Next for Rhea Finance Users
Rhea Finance said protecting user positions remains its top priority. Moreover, the team has been working non-stop since identifying the incident roughly ten hours after it occurred.
Multiple partners, stakeholders, and security experts are now involved in the response.
A full incident report is expected to follow the ongoing investigation.
Besides, the team will provide updates as new details emerge. Users are advised to monitor official Rhea Finance channels for further announcements.
