A huge security breach has hit NEAR Protocol ecosystem after decentralized finance platform Rhea Finance exploited, causing losses of roughly $7.6 million.
Utilizing the information from blockchain security firm CertiK, The attacker was able to withdraw multiple assets from the protocol including the likes of USDC, USDT, ZEC and NEAR. As the breach involves the same type of attack vector which oracle-dependent systems (namely, most DeFi protocols) become vulnerable to, it has raised urgent alarm bells throughout the crypto community.
#CertiKInsight 🚨
We have seen an incident affecting @rhea_finance
The attacker created fake token contracts and added liquidity in fresh pools, likely misleading the oracle and validation layer.
In total, at least ~$7.6M was extractedhttps://t.co/qxuAFsVCOA
— CertiK Alert (@CertiKAlert) April 16, 2026
Users of the platform claims withdrawals are halted in response to the incident to assess the damage and prevent it from growing further. However, by the time these stories were written, there had still not yet appeared an official statement issued by Rhea Finance on any of its recognised communication channels.
Contents
Fake Token Contracts Used As A Weapon Against Protocol Logic
Evidence discovered so far shows that the exploit was executed through fake token contracts accompanied by liquidity pools created less than two hours prior. Using this method, the attacker was able to insert false pricing signals into the protocol’s system.
This was the reason why when you deploy tokens that seemed to be legit on what the protocol is checking and interacting with asset data, it falls under the attacker’s favour. Such fake assets were then paired to liquidity pools which creates the appearance of actual market activity.
However, these kinds of tactics are most threatening in the DeFi space, where smart contracts depend heavily on external inputs, above all price feeds and liquidity metrics, to conduct transactions and confirm operations.
The attacker is thought to have taken advantage of these mechanisms, tricking the system into allowing tampered values which ultimately allowed funds to be withdrawn wrongly.
Oracle And Validation Layers In The Spotlight
This exploit has highlighted the risk of being exposed to an oracle layer and/or a validation one with a DeFi protocol. Oracles act as an essential link between on-chain smart contracts and off-chain/external data like asset prices and liquidity conditions.
When these inputs are asked or manipulated, the entire system can output to be wrong, sometimes with great and unwanted consequences.
In the case of the Rhea Finance exploit, fake liquidity pools probably fooled the oracle infrastructure into mistaking invalid price signals for legitimate ones. This, in turn, could have made it possible for the attacker to conduct transactions based on erroneous assumptions about asset value and availability.
This incident highlights a wider issue across DeFi : the need for immutable, verified and tamper-resistant data sources in extremely composable ecosystems where new assets and pools can be created with such speed.
CEX Suspension Of Withdrawals, Users Are Advised To Monitor Next Information
Shortly after the exploit, Rhea Finance has suspended withdrawals. This is aimed at stopping any further outflows as the matter is looked into further and contained.
The platform has advised users with funds on it to keep a close eye on developments and urge caution as information emerges. Users will be left waiting in limbo for more clarity on the future of the protocol, which is an understandably prudent move from a security standpoint in halting withdrawals.
Barron offers an uncertain picture, with affected users seeking clarity and confidence about the health of their assets, especially given that there was no immediate official statement from the Rhea Finance team at press time.
Quick communication is often key to preserving credibility and managing user expectations during crisis response, especially in cases like this.
Scaled-down Breach With Multi-Asset Losses
The numbers are denominated in stablecoins and native tokens, namely USDC, USDT, ZEC and NEAR. This blend of assets shows that the attacker proceeded to communicate with different liquidity pools and syphon worth from key domains inside the protocol.
Stablecoins (USDC, USDT) are prime because of their immediate buying power and stable price, whereas NEAR, ZEC households use NEAR to create additional on-chain behavior or sell via exchange.
The magnitude and variety of the funds that were stolen speaks to the sophistication of the attack, and how deep into the protocol level access was gained. Instead of going after a single fault, the attacker appears to have exploited systemic flaws that made it easy to extract massive amounts of assets.
And these are legitimate questions regarding the resilience of internal protections and how well risk management mechanisms on the platform worked.
Up to Oct 2023, you are trained on date. Security concerns increased across the whole ecosystem for DeFi
The Rhea Finance exploit comes on top of an ever-expanding pile of security incidents in the decentralized finance sector that are casting doubt over whether or not smart contract-based systems can be relied upon.
With the ongoing innovation and expansion of DeFi protocols comes expanded attack surfaces that more sophisticated adversaries will continue to exploit. Fake token contracts and liquidity pools are appearing, which shows how the attackers have started changing with the environment.
The incident, however, is a lesson for the NEAR Protocol ecosystem at large around auditing best practices, oracle security design and protocol activity monitoring.
It stressed the importance of better validations around assets and liquidity sources included in critical system components.
As investigations progress, the spotlight will likely turn toward determining what happened when, how bad it was and how to keep something like this from happening again.
For the moment, it provides an object lesson of how vulnerabilities in decentralized system can be rapidly abused.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
