In April 2026, Rhea Finance, one of the largest DeFi hubs on the NEAR blockchain, was the victim of a hack. The attacker stole an estimated $7.6 million from the protocol via an oracle manipulation attack.
Inside the Attack
Price oracles are responsible for determining the value of various types of cryptocurrencies, whose values are set by the market. Part of this role involves discovering new tokens and pricing them based on recent trade activity.
The Rhea Finance attacker exploited this practice by creating fake token contracts and new funding pools that matched them with legitimate tokens. By adding liquidity to these pools and making trades with these trading pairs, the attacker created on-chain evidence that their token was legitimate and had a certain value.
The Rhea Finance price oracles relied on recent data to price tokens, not taking historical context into account. As a result, the attacker only needed to create a minimal amount of price history for their tokens for the alleged price to be accepted by the oracle.
After getting their fake tokens accepted, the attacker was able to use these fake tokens as collateral. In total, the attackers were able to extract an estimated $7.6 million from the protocol, while leaving Rhea Finance holding their worthless fake tokens as collateral.
After withdrawing the funds, the attacker routed them through multiple on-chain addresses to help cover their tracks. Approximately $3.29 million USDT was later frozen by Tether, and there were signs that some of the funds might have been returned to the platform.
Lessons Learned from the Attack
Price oracle manipulation, like what happened in the Rhea Finance hack, is a common attack vector in the DeFi space. When price oracles trust recent price data when determining token values, attackers are able to develop short histories for fake tokens, allowing them to define fake prices for their tokens.
These types of incidents can be prevented by using more historical context when determining token pricing. For example, time-weighted average prices (TWAPs) use a longer time window for pricing, or a project can define minimum token ages or liquidity thresholds before allowing pools to be created for a new token.
Protecting against these types of threats requires careful protocol design from the very beginning. Halborn offers security advisory services that can help teams to avoid this and other common threats. Get in touch to find out more.