Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 270Smart Contract Bug

Rhea Finance Two-Day Margin Drain

Rhea Finance on NEAR lost $18.4M after a two-day setup of fake tokens, 423 wallets and 8 Ref pools exploited a slippage-summing flaw in margin trading.

Date
Victim
Rhea Finance
Chain(s)
NEAR
Status
Partially Recovered

On April 16, 2026, the NEAR-based lending protocol Rhea Finance suffered a methodical, two-day-prepared exploit that drained approximately $18.4 million — more than double the initial $7.6M estimate. The attacker exploited a slippage-protection flaw in the margin-trading function that summed expected outputs across sequential swap steps incorrectly. Approximately $9M was recovered via Tether freezes and partial returns from the attacker.

What happened

Rhea Finance's margin-trading product allowed users to execute leveraged trades through sequences of swaps across NEAR's DeFi ecosystem. The function included a slippage-protection check that summed the expected outputs across all swap steps to verify that users received fair value end-to-end.

The fatal flaw lived in how the slippage protection calculated across sequential steps. The summation logic had a gap that let an attacker construct sequences where the aggregate slippage check passed even though each individual step deviated from market-fair values in attacker-favouring directions.

The two-day preparation phase (April 13-15, 2026) was distinctive for its operational discipline:

  1. Created a subject wallet as the primary operation address.
  2. Distributed funds across 423 unique intermediary wallets to obscure the attack's funding sources and post-attack laundering paths.
  3. Deployed purpose-built fake token contracts designed to interact with Rhea's margin-trading logic in specific exploitable ways.
  4. Created 8 new trading pools on Ref Finance (NEAR's main DEX) — providing the liquidity venues the attack would route through.
  5. Built a custom swap router to execute the attack's complex sequence of operations as a single atomic transaction.

On April 16, the attack executed:

  1. Used the prepared infrastructure to call Rhea's margin-trading function with the carefully-crafted swap sequence.
  2. Each step in the sequence extracted value that the slippage-summation logic failed to detect as cumulative under-pricing.
  3. Drained approximately $18.4M in mixed assets — primarily USDC, USDT, NEAR, and wrapped BTC.

Aftermath

  • Rhea Finance paused affected operations within hours.
  • The team published an investigation report detailing the two-day preparation timeline.
  • Recovery efforts:
    • $3.29M USDT frozen directly in the attacker's wallet by Tether.
    • $3.359M USDC returned by the attacker after on-chain negotiation.
    • $1.564M NEAR returned by the attacker.
    • $4.34M USDT frozen (additional separate Tether action).
  • Total recovered or frozen: approximately $9 million of the $18.4M loss — roughly 49%.

Why it matters

The Rhea Finance incident is the textbook 2026 case for how preparation-heavy attacks are becoming the norm at the upper end of DeFi exploit sophistication. The two-day infrastructure-building phase resembles state-actor operational tradecraft more than opportunistic protocol exploitation. The 423-wallet distribution alone implies significant infrastructure investment and operational planning.

The structural lessons:

  1. Slippage-protection logic must be tested against adversarial sequences, not just normal user flows. Property-based testing that tries every possible sequence of swap operations is the only reliable way to surface this class of bug.

  2. Attribution and recovery have become meaningfully more effective in 2026. The combination of Tether's freeze capability (which has hardened significantly since 2022), on-chain investigators publishing the attacker's wallet network within hours, and the white-hat-negotiation pathway being widely understood means that even sophisticated attackers face meaningful constraints on their cash-out.

  3. The pre-attack infrastructure footprint is itself a defensive signal — deploying 423 intermediary wallets and 8 new Ref Finance pools is the kind of activity that on-chain monitoring services can detect before the attack executes, given enough sophistication. Rhea's recovery effort retroactively built the detection patterns; building them prospectively is increasingly the frontier of DeFi security.

The 49% recovery rate is notably high for a $20M+ DeFi incident, and reflects the combination of Tether's enforcement willingness and the attacker's apparent strategic calculation that partial return + bounty was preferable to attempting full laundering given current on-chain forensics capabilities.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-rhea-finance-hack-april-2026
  2. [02]theblock.cohttps://www.theblock.co/post/397961/rhea-finance-post-mortem-exploit-losses-18-4-million-double-initial-estimates
  3. [03]coinedition.comhttps://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals

Related filings