Rhea Finance has confirmed that about $18.4 million was drained from its lending protocol in an exploit on Thursday, more than double its initial loss estimate of $7.6 million. The project said the attack originated from a weakness in its margin trading feature and a flaw in its slippage protection mechanism.
How the exploit worked
In a post-mortem released Friday, Rhea said the attacker built a complex swap route to execute multiple margin trades and routed borrowed tokens through counterfeit liquidity pools.
A design weakness in the protocol’s slippage protection failed to properly account for tokens being reused across several steps in a single transaction. This allowed the attacker to create trades that appeared valid on-chain while manipulating price data and siphoning funds from the reserve pool.
The insufficient collateral returned to the protocol triggered liquidations that further drained reserves, magnifying the losses.
Funds recovered and frozen
Rhea reported that about $11.2 million in digital assets has been recovered or frozen:
- Around 3.36 million USDC and 1.56 million NEAR, worth roughly $3.5 million, were voluntarily returned by the attacker.
- About 4.34 million USDT remains frozen by Tether, the stablecoin’s centralized issuer.
The remaining shortfall is estimated at $5.6 million, which the project and external investigators are still attempting to trace.
Emergency response and next steps
Following the exploit, Rhea temporarily paused the affected smart contracts and began working with security teams and other partners to track the missing funds.
The project is drafting a compensation and recovery plan, but has not yet provided a timeline or details on how losses will be allocated or reimbursed.
Aurora Labs and Near Intents co-founder Shevchenko sent an on-chain message to the attacker, claiming the team had identified associated wallet addresses and urging a full return of the stolen assets.
Part of a wider pattern in decentralized finance
Rhea’s exploit is the latest in a series of oracle and liquidity manipulation attacks targeting decentralized finance protocols. In the first quarter of 2026, roughly $168.6 million was drained across 34 different DeFi platforms, according to sector data.
These incidents often exploit interactions between external price feeds, thin or newly created liquidity pools, and complex transaction paths that are difficult to simulate under all market conditions.
With the broader DeFi market holding an estimated total value of $238.54 billion, the frequency of such attacks is heightening scrutiny of protocol design and risk controls.
What traders are watching
For traders allocating capital to leveraged and margin products, the Rhea exploit is reinforcing several due-diligence priorities:
- Reviewing a protocol’s audit history and any follow-up fixes.
- Assessing protections against price oracle manipulation and fake liquidity pools.
- Examining how slippage control logic is implemented, especially for complex multi-step transactions.
Market participants are also focusing on how teams handle crises. Rapid contract pauses, detailed and timely post-mortems, and coordination with security firms and law enforcement are increasingly seen as indicators of operational maturity.
In the wake of the Rhea breach, attention is likely to center on which platforms can demonstrate resilient architecture and clear mechanisms for handling economic exploits and system stress, and which remain exposed to similar design flaws.
To better manage risks like margin exploits and slippage attacks, learn core safeguards in our guide on crypto risk management strategies.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
