$7.6 million stolen from Rhea Finance: DeFi fake token attack manipulates the oracle

A DeFi protocol, Rhea Finance, suffered a major security vulnerability on April 16, and blockchain security firm CertiK estimates losses of approximately $7.6 million. The attacker succeeded in extracting funds by creating a fraudulent token contract and injecting funds into a newly created liquidity pool, misleading the protocol’s oracle and verification mechanisms. CertiK has identified the involved on-chain addresses, and the investigation is ongoing.

Attack Mechanism: A Combined Scam of Fake Token Contracts and Liquidity Pools

(Source: NearBlocks)

According to CertiK’s preliminary analysis, the technical path of this attack involves two key steps. First, the attacker deploys a fraudulent token contract, and then injects funds into a newly created liquidity pool to create the illusion of “normal trading activity.” This operation misleads the oracle and verification layer that Rhea Finance relies on, causing it to incorrectly assess the value of assets—allowing the attacker to exploit the gap between the protocol’s perceived value and the actual value to extract funds.

Such oracle manipulation attacks are recurring security threats in the DeFi ecosystem. The core mechanism is to distort the protocol’s assessment of an asset’s state by artificially creating liquidity signals or fake price data, triggering trading logic that should not be executed.

Loss Magnitude: $7.6M, Nearly 6% of Rhea Finance TVL

CertiK estimates the loss to be approximately $7.6 million, but as on-chain analysis deepens, the figure may still be adjusted. According to DefiLlama data, Rhea Finance currently holds total value locked (TVL) of about $128 million, meaning the loss from this vulnerability is roughly 6% of the platform’s total liquidity—an event of moderate to somewhat serious severity for a single security incident.

After stealing the funds, the attacker routed the assets through multiple on-chain addresses—an approach commonly used to confuse tracing and facilitate freezing of funds after DeFi attacks.

Large On-Chain Fund Movements on the Same Day

On the same day as the Rhea Finance incident, on-chain records showed two other large BTC transfers worth noting:

U.S. Government: Deposited 8.2 BTC (about $606K) to Coinbase Prime; these assets came from seized assets associated with the Bitfinex hacker incident

Abraxas Capital: Deposited 1,993 BTC (about $148M) to Kraken, continuing the large-scale Bitcoin trading pattern that began in mid-March

Frequently Asked Questions

What is an oracle manipulation attack, and how does it affect DeFi protocols?

An oracle is the intermediary through which DeFi protocols obtain off-chain or on-chain price data. When attackers input distorted data into an oracle via artificially controlled liquidity pools or fraudulent token contracts, the protocol may miscalculate the value of assets and then execute lending, liquidation, or arbitrage operations based on the deviated price—allowing the attacker to extract the difference without risk. This is one of the most common and persistent attack methods in DeFi history.

How serious is the loss relative to Rhea Finance’s TVL?

A $7.6 million loss is about 5.9% of Rhea Finance’s approximate $128 million TVL, making it a moderately severe security incident. If the attacker has not completed all fund transfers, the actual loss may be higher than CertiK’s initial estimate. The platform is still operating, but there is potential ongoing risk.

Rhea Finance has not responded so far—how should users holding assets respond?

Until the protocol team issues an official response or confirms that the system has securely patched the vulnerability, users holding Rhea Finance assets should assess whether to withdraw liquidity to reduce risk. They should continue to track the latest on-chain developments of the incident through third-party security platforms such as CertiK, and avoid depositing new funds until the vulnerability is fully confirmed to be fixed.