Key Takeaways:
- Rhea Finance is the victim of a ~ $7.6M exploit of its margin trading system.
- Fake tokens and liquidity pools were used to manipulate prices and drain funds by attackers.
- Contracts stopped, recovery also in progress and police also involved.
Another new exploit in the DeFi ecosystem has come out, and Rhea Finance has verified a strategic attack on its lending infrastructure. The accident has taken place within a short period of time compelling the team to halt the major contracts and start the recovery process.
Exploit Targets Margin Trading and Lending Contracts
Rhea Finance said the attacker exploited a vulnerability in its margin trading feature. This allowed a coordinated manipulation of liquidity pools tied to the lending system.
The Rhea team would like to provide an update regarding the recent exploit.
Since identifying the situation approximately 10 hours ago, we have been focused on safeguarding users and coordinating recovery efforts across all fronts.
— Rhea Finance (@rhea_finance) April 17, 2026
The affected component was the Rhea Lend smart contract. The decentralized exchange (DEX) contract was not impacted, but both systems were paused as a precaution.
Blockchain security firm CertiK estimated losses at around $7.6 million. It was alleged that the attacker had generated fake token contracts and pumped up the new pools. This probably corrupted oracle pricing, and skipped validation.
The attacker could also obtain funds by exploiting these inputs before abnormalities became noticeable by the system.
Read More: Resolv Burns 46M USR After $80M Exploit, Wipes Out Illicit Supply in Major Recovery Push
Immediate Response and Fund Recovery Efforts
Rhea appeared hastening along when he spotted the trick. Within hours, the team halted impacted contracts and started monitoring wallet addresses of the attacker both within Ethereum and NEAR.
What the Team Is Doing Now
The protocol proved the presence of a number of active steps:
- Going ahead to negotiate with the attacker to have left funds returned
- Outsourcing the services of a security agency to conduct forensic investigation and conduct title monitoring
- Notifying the law enforcement in order to aid investigation and recovery
The team also highlighted that no rNEAR was impacted and it is still in operation. This assisted in curbing the spread of impact to the users in the ecosystem. According to Rhea, the priority is on protecting the users. A comprehensive post-mortem report should be anticipated after the situation is put at ease.
Rising Pattern of DeFi Exploits
The case is a part of a growing list of attacks on DeFi protocols in recent weeks. The exploits are becoming more and more centered on sophisticated systems such as oracles, liquidity pools and margin systems.
Neat bugs are no longer being used by attackers. Rather, they merge several tricks, such as the use of counterfeit assets and artificial liquidity, to circumvent checks.
Here, new token contracts have been used, which indicates intentional effort to deceive automated pricing models. They are essential to DeFi and may prove to be vulnerabilities when fed with incorrect data.
Security firms have repeatedly warned that oracle manipulation remains one of the most effective attack vectors. Protocols that rely heavily on external pricing inputs are especially exposed if safeguards are not robust.
Rhea’s case shows how quickly such exploits can unfold. Even established protocols can face sudden losses if a single vulnerability is exposed.
Read More: Venus Protocol Suspected of $3.7M Flash-Loan Attack
