Rhea Finance (merged entity of Ref Finance DEX + Burrow Finance lending; launched February 2025): Permissionless fake-token pool creation → spot-price oracle acceptance → margin-trading `min_amount_out` double-counting across sequential swaps
An attacker spent two days seeding 8 fake token pools across 423 wallets on NEAR, tricked Rhea Finance's spot-price oracle into pricing worthless tokens as real collateral, then exploited a double-counting arithmetic error in the margin-slippage check to drain $18.4M in cascading liquidations.
Summary #
Rhea Finance (merged entity of Ref Finance DEX + Burrow Finance lending; launched February 2025) suffered a Integrated DEX + Lending + Margin Trading (NEAR's dominant DeFi protocol) on 2026-04-16, resulting in a loss of approximately $18M.
What happened #
An attacker spent two days seeding 8 fake token pools across 423 wallets on NEAR, tricked Rhea Finance's spot-price oracle into pricing worthless tokens as real collateral, then exploited a double-counting arithmetic error in the margin-slippage check to drain $18.4M in cascading liquidations.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: [PENDING: no confirmed Immunefi program identified in sources]]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code (per BlockSec + ToB October 2025); the specific double-counting case was not caught]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — price history for fake tokens was entirely self-generated from attacker wash trades; any oracle with a liquidity threshold or token-age ...]