- Attacker spent over two days creating 423 wallets and fake token pools before the exploit.
- Slippage protection flaw counted the same token value twice across sequential swap steps.
- Tether froze $3.29 million USDT directly in the attacker’s wallet as recovery efforts began.
Rhea Finance published a detailed post-mortem this week after losing $18.4 million in an exploit that investigators describe as a combination of two known DeFi attack vectors assembled into something new. They revealed that the attack did not happen in minutes. It took two days of preparation.
The Setup
Between April 13 and 15, the attacker quietly built the infrastructure needed for the drain:
- Created a subject wallet funded through cross-chain transfers
- Distributed funds across 423 unique intermediary wallets in rapid automated succession
- Deployed purpose-built fake token contracts that exposed no standard metadata
- Created eight new trading pools on Ref Finance pairing fake tokens against USDC, USDT, and wNEAR at artificially controlled price ratios
- Built a swap router connecting these fake pools as the attack vector
By the time the exploit launched on April 16, the entire infrastructure was in place and waiting.
How the Slippage Trick Actually Worked
The technical elegance of the attack is what makes it notable. Rhea Finance’s margin trading feature includes slippage protection that sums expected outputs across all swap steps to verify users receive fair value. The attacker found a flaw in how that calculation works across sequential steps.
The exploit in plain terms:
- Step 1: 1,000 USDC converts to 999 AttackerToken with a minimum output of 999
- Step 2: 999 AttackerToken converts back to 1 USDC with a minimum output of 1
- Slippage check sees: 999 plus 1 equals 1,000. Looks fine.
- Reality: Only 1 USDC returned to the protocol. The 999 USDC sits in the attacker’s pool.
The check counted AttackerToken as the final output without recognizing that it was immediately spent as input for the next step. Borrowed funds were funneled into the attacker’s fake pools. Positions were immediately worth far less than their debt, triggering forced liquidations that drained the reserve pool.
The closest precedent is the KyberSwap exploit of 2023, which cost $54.7 million using the same principle of counting the same value twice across sequential operations.
Where Things Stand
Approximately $9 million of the $18.4 million has already been recovered or frozen, including $3.29 million USDT frozen by Tether directly in the attacker’s wallet. The lending contract has been paused while recovery efforts continue.
The Near Intents team has suggested the attacker has been identified and may even have a public presence on X. A formal trace has been opened with centralized exchanges to identify the account owner.
Rhea Finance’s post-mortem includes the full attack chronology, transaction hashes, and the exact line of vulnerable code. It is being described as one of the most detailed exploit disclosures in DeFi history.
Related: Rhea Finance Hit by $7.6M Exploit After Fake Token Pool Attack
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/18-4m-rhea-finance-hack-built-over-two-days-post-mortem-reveals/