NEAR Protocol’s largest Decentralized Finance (DeFi) hub, Rhea Finance, suffered a $7.6 million exploit after an attacker manipulated its oracle and validation layer.
Blockchain security firm CertiK flagged the incident, confirming that assets were drained across multiple tokens.
How the Rhea Finance Exploit Unfolded
The attacker deployed fake token contracts and created fresh liquidity pools on the protocol. These pools likely distorted price feeds, misleading the oracle into validating fraudulent transactions.
According to CertiK, at least $7.6 million was extracted from Rhea Finance. Stolen funds included USDC, USDT, Zcash (ZEC), and NEAR (NEAR).
Vadim Zacodil, an ex-NEAR core contributor, confirmed the figures and warned users to monitor the situation closely.
Withdrawals are currently halted as the team works to contain further damage.
“The attacker created fake token contracts and added liquidity in fresh pools, likely misleading the oracle and validation layer,” CertiK noted.
Why This Matters for NEAR DeFi
Rhea Finance holds a dominant position in the NEAR ecosystem. Formed in early 2025 through the merger of Ref Finance and Burrow Finance, it serves as the primary DEX and lending layer on the network.
The protocol previously held over 95% of NEAR’s DeFi total value locked, making this exploit significant for the entire chain’s DeFi infrastructure.
Oracle manipulation remains one of the most persistent vulnerabilities in DeFi, with attackers repeatedly exploiting untested price feeds and thin liquidity.
The coming days will reveal the full scope of losses and whether Rhea Finance can secure affected user funds.
