RHEA Finance (RHEA)

Rhea Finance stated that its RHEA DEX on the NEAR Protocol has fully resumed operation. The project said the previous suspension was a preventive measure taken by the exchange in response to a recent attack incident; the DEX itself was not directly affected. It has now completed the relevant assessment and restored service, and will publish updates on its lending business later. Previously, the DeFi protocol Rhea Finance was attacked, with attackers extracting at least $7.6 million.
https://t.co/ZkQYemTJQP

Rhea Finance just got drained for $18.4M on @NEARProtocol.

This is the biggest DeFi exploit on the chain. And the way it happened is actually wild. Let me break it down step by step so you understand exactly what went on.

First, what is @rhea_finance?

Rhea is our Ref Finance (DEX) back then + Burrow Finance (Lending), merged early 2025. It became NEAR's dominant DeFi layer.

→ Holds 95%+ of all NEAR DeFi TVL
→ Runs the chain's primary swap DEX + lending protocol
→ Has a margin trading feature connecting both

That margin trading feature is where everything went wrong.

Here's what the attacker did:

Step 1: Deploy fake token contracts

→ Created multiple worthless token contracts on NEAR
↳ Standard NEP-141 tokens (like ERC-20 on Ethereum)
↳ Anyone can deploy one, no approval needed
↳ The chain doesn't know "real" from "fake" - it just executes code

Step 2: Create liquidity pools with fake tokens

→ Paired fake tokens with real assets on Rhea's DEX
↳ Pool: FAKE_TOKEN / USDC
↳ Pool: FAKE_TOKEN / NEAR
↳ Deposited real USDC on one side, fake tokens on the other
↳ This gave fake tokens an artificial "price"

Example: Put 10,000 USDC + 10,000 FAKE into a pool. Now 1 FAKE = 1 USDC according to the DEX. But FAKE is worth nothing. The attacker set the price themselves.

These pools were created less than 2 hours before the exploit.

Step 3: Oracle trusted the fake prices

This is the critical failure.

→ Rhea's oracle pulled pricing from its own DEX pools
↔ No token whitelist (any token was accepted)
↔ No minimum TVL threshold
↔ No time-weighted averaging
↔ No cross-reference with external feeds like Pyth or Chainlink

The oracle saw FAKE/USDC pool and said "FAKE = $1.00. Looks good." That was the end of it.

Step 4: Abuse margin trading with manipulated swap routes

→ How margin trading normally works:
↔ User wants leverage on Token X
↔ Protocol borrows Token Y from Lend (debt)
↔ Swaps Token Y for Token X through DEX pools
↔ User holds Token X, owes Token Y

→ What the attacker did:
↔ Opened margin positions routing through their fake pools
↔ Route: Real USDC -> FAKE_TOKEN -> (attacker's pool absorbs the USDC)
↔ Oracle validated it because FAKE_TOKEN had a "legitimate" price
↔ Protocol approved borrowing millions in real tokens

→ The result:
↔ Real debt tokens (USDC, USDT, NEAR) borrowed from Lend
↔ Funneled directly into attacker's fake pools
↔ Only worthless tokens returned to the protocol
↔ Then force-liquidated the empty positions against the reserve pool

Step 5: Extract everything

→ Attacker removed liquidity from their fake pools
↔ Kept all the real USDC, USDT, NEAR, ZEC
↔ Left @rhea_finance holding worthless fake tokens as "collateral"
↔ Margin positions still showed as "open" but the value was gone

Total drained: $18.4M (initial reports said $7.6M, post-mortem doubled it though)

What happened after:

→ Recovery so far:
↔ Attacker returned ~$3.36M USDC
↔ Attacker returned 1.56M $NEAR (~$3.5M)
↔ Tether froze ~$4.34M USDT (Paolo Ardoino confirmed this)
↔ Total recovered/frozen: ~$11.2M
↔ Still missing: ~$7.2M

→ Impact:
↔ RHEA token dropped 8% to $0.01019
↔ Market cap fell to $2.03M
↔ NEAR DeFi TVL took a massive hit
↔ All Lend withdrawals suspended
↔ DEX and rNEAR token were unaffected

As @zacodil said: "This wasn't a simple hack. The attacker combined two known DeFi attack vectors."

What should have existed to prevent this:

→ Token whitelist. Oracle should only price approved tokens.
→ Pool age check. Minimum 24-48h before oracle trusts any pool.
→ TVL minimum. Ignore pools under $100K.
→ TWAP. Time-Weighted Average Price, not spot price from a 30 min old pool.
→ Multi-source oracle. Cross-reference Pyth, Chainlink, or CoinGecko.
→ Swap route validation. Margin trades should only route through whitelisted pools.

Every single one of these is standard security practice. None of them were in place.

This is why "permissionless" doesn't mean "no security." Any protocol that lets unknown tokens influence price feeds without validation is a ticking bomb.

Don't mess with @NEARProtocol though. They're already on it.