Rhea Finance Discloses Attack Cause: Slippage Protection Logic Flaw Leads to $18.4 Million Loss
According to an official disclosure by RHEA Finance, on April 16, 2026, the NEAR ecosystem lending protocol RHEA Finance (formerly Burrow Finance) suffered a hack targeting its margin trading functionality, resulting in losses of approximately $18.4 million.
The attacker began preparations several days prior to the incident by creating multiple fake token pools on Ref Finance and injecting liquidity into them, thereby constructing malicious swap routes. Exploiting a vulnerability in the protocol’s slippage protection mechanism—which failed to account for scenarios where intermediate tokens were reused during multi-step swaps—the attacker caused borrowed debt tokens to be routed into fake token pools under their control. This triggered widespread forced liquidations, ultimately draining the protocol’s reserve pool. During the attack, the attacker deleted a total of 55 intermediary accounts to obscure their trail.
As of now, the attacker has repaid approximately 3.359 million USDC and 1.564 million NEAR to the RHEA lending contract. Additionally, 4.34 million USDT have been frozen—3.291 million frozen by Tether and 1.053 million frozen by NEAR Intents. The protocol’s smart contracts have been paused, and the team is collaborating with centralized exchanges to jointly trace the funds; relevant law enforcement agencies have also been notified.
