U sers of Rhea Finance can no longer withdraw their assets. The protocol halted withdrawals to contain damage after an attacker extracted $7.6 million in USDC, USDT, Zcash, and NEAR.
Related Brief Just now
defi security Polkadot Bridge Exploit Funds Move to Tornado Cash
The exploiter of a Polkadot cross-chain bridge stole $269,000 and transferred the funds into Tornado Cash. The largest single transaction to the mixery was 10 ETH, valued at $231,860. The exploiter's remaining portfolio now contains 423.184 DAI, 0.0206 ETH, 24.49 USDC, and 4.082 EURC. The total current valuation of the portfolio is $512.84.
The exploit occurred when an attacker deployed fake token contracts and created fresh liquidity pools. These pools distorted price feeds, which misled the oracle and validation layer into validating fraudulent transactions. Blockchain security firm CertiK flagged the incident and confirmed the assets were drained.
Related Brief 3d ago
cross-chain bridges Liquidity constraints capped a 1 billion token mint at $237,000
The haul from a 1 billion token mint was capped at 108.2 Ethereum, or approximately $237,000, because of limited liquidity in the bridged DOT pool. A hacker inserted a forged message into the Hyperbridge cross-chain gateway, which bypassed state-proof verification in the smart contract. This allowed the attacker to seize administrative control of the Polkadot token contract on Ethereum and mint 1 billion bridged DOT tokens. The attacker then liquidated the tokens into the pool, but the fake supply crashed the price of the bridged representation. The broader Polkadot ecosystem and native DOT tokens were not impacted. Hyperbridge had marketed itself as a proof-based interoperability layer offering full node security for cross-chain bridges. Blockchain security firm Blocksec Falcon identified the likely root cause as a Merkle Mountain Range proof replay vulnerability caused by missing proof-to-request binding. The attacker walked away with approximately $237,000.
Rhea Finance is the primary DEX and lending layer on the NEAR Protocol, formed in early 2025 through the merger of Ref Finance and Burrow Finance. The protocol previously held over 95% of NEAR's DeFi total value locked. This exploit targets the infrastructure that supports the majority of the network's decentralized finance activity.
Related Brief 1d ago
defi security DeFi Users Must Protect Themselves Even When Smart Contracts Are Secure
Users of DeFi platforms can lose funds even when no smart contract is breached — if they grant permissions on a compromised frontend. At 14:54 UTC on April 14, 2026, CoW Swap fell victim to a DNS hijacking attack that redirected traffic from swap.cow.fi to a fake website designed to mimic the legitimate interface. The counterfeit site could prompt users to sign transactions or approve token spending limits, opening the door to unauthorized fund transfers. Though the CoW Protocol’s core systems remained secure, the attack exploited the web layer users trust to access the platform. CoW Swap responded by halting its frontend, APIs, and backend as a precaution, even though only the domain system was breached. Users who interacted with the site after the attack were urged to revoke any token approvals granted since that time. These approvals, once given, allow external contracts to spend user tokens up to a set amount without requiring additional approval. The tool revoke.cash was recommended to quickly and safely remove such access. No widespread losses have been confirmed, a result in part of the platform’s non-custodial architecture: user funds never leave their wallets, and the underlying smart contracts were not compromised. But the incident underscores a growing pattern in decentralized finance — attackers are shifting focus from code exploits to frontend infrastructure. DNS hijacking, often achieved through registrar account breaches or social engineering, allows attackers to intercept users before they ever reach a secure protocol. CoW Swap, a decentralized exchange aggregator using Coincidence of Wants to batch and optimize trades, is built to resist transaction manipulation like MEV. Yet its users still face risk the moment they load the website. Security alerts from CoW DAO and firms like Blockaid helped limit exposure, but protection ultimately depends on user action. This attack did not break blockchain cryptography. It bypassed it entirely. Repeated incidents like this confirm a new rule in DeFi: your wallet is only as secure as your last click. Frontend attacks will continue as long as domain systems and user habits remain weak. The responsibility no longer stops with developers. It extends to every user who must now verify URLs, audit permissions, and revoke access proactively. Decentralized finance is only as strong as its weakest layer. Today, that layer is often the browser.
The Ledger Morning The essential intelligence to start your trading day. Delivered 6:00 AM EST.
Join 50,000+ professionals who start their day with The Digital Ledger.
