Rhea Finance lost $7.6M in a NEAR exploit, but Tether froze $3.29M in USDT. So why did $230M in USDC move freely during the Drift hack? | Credit: CCN.com
Share
Key Takeaways
Rhea exploit highlights oracle risk as the $7.6 million attack shows how manipulating liquidity and fake tokens can still break DeFi pricing systems, especially in ecosystems with concentrated TVL.
Freezing $3.29 million in USDT significantly limited the attacker’s ability to cash out, demonstrating the power of centralized controls in crisis scenarios.
Both USDT and USDC have built-in controls, but how and when issuers use them varies dramatically.
Around $230 million in USDC moved freely during the exploit, raising concerns about delayed intervention and real-time risk containment.
The past few weeks have delivered a stark lesson in how differently the crypto ecosystem can respond to security incidents. Two exploits, Rhea Finance on NEAR and Drift Protocol on Solana, highlight a growing divide not just in technical vulnerabilities, but in how stablecoin issuers and infrastructure providers intervene when things go wrong.
In one case, millions were quickly frozen. In the other, hundreds of millions flowed freely.
Understanding why requires unpacking the mechanics of the Rhea exploit, the role of oracles, the legal frameworks behind asset freezing, and the contrasting philosophies of stablecoin giants Tether and Circle.
How the Rhea Finance Exploit Happened: Oracle Manipulation on NEAR
Rhea Finance, a major DeFi protocol on the NEAR blockchain, suffered a $7.6 million exploit after an attacker manipulated its oracle system. According to security reports, the attacker deployed fake token contracts and injected liquidity into newly created pools. This activity appears to have misled Rhea’s price oracle and validation mechanisms, enabling the extraction of assets including USDC, USDT, ZEC, and wrapped NEAR.
The attack is a textbook example of oracle manipulation, a class of exploits where attackers distort price feeds or liquidity signals that DeFi protocols rely on to function correctly.
Rhea responded quickly:
Smart contracts were paused to prevent further losses
The team initiated communication with the attacker
Security experts were brought in to assess and mitigate risk
But what stands out most is what happened next.
Tether Freezes $3.29M USDT: How Stablecoin Issuers Stop Hackers
Within hours, Tether froze approximately $3.29 million in USDT linked to the attacker’s wallet. CEO Paolo Ardoino confirmed the action publicly, reinforcing Tether’s long-standing posture of active intervention in exploit scenarios.
This move immediately reduced the attacker’s ability to cash out a significant portion of the stolen funds.
Tether froze 3.29 million USDT to the hackers. | Credit: Paolo Ardoino X profile
It also underscored a key reality of modern crypto markets: Stablecoins are not neutral; they are programmable financial infrastructure with embedded control mechanisms.
Tether’s ability to freeze funds is not new. The company has:
Collaborated with over 310 law enforcement agencies globally
Operated across 64 jurisdictions
Helped recover more than $800 million in illicit or stolen funds
In the Rhea case, this infrastructure translated into immediate containment.
Can Stablecoins Be Frozen? Legal and Technical Breakdown of USDT Controls
The ability for issuers like Tether to freeze funds comes from a combination of smart contract design and regulatory positioning.
1. Smart Contract Control
USDT (and USDC) tokens include administrative functions that allow issuers to:
These controls are built directly into the token contracts on blockchains.
2. Compliance Frameworks
Tether operates within a compliance-driven model that enables:
Cooperation with law enforcement
Response to court orders or sanctions lists
Rapid intervention in cases of confirmed illicit activity
This means freezing funds does not require a lengthy on-chain governance vote—it can be executed centrally, often in coordination with investigators.
3. Risk-Based Intervention
Importantly, issuers typically act when:
Funds are clearly linked to exploits or criminal activity
There is high confidence in attribution
Intervention is legally defensible
In Rhea’s case, the attack vector and wallet flows were quickly identified, enabling decisive action.
Drift Protocol Hack Explained: Why $230M in USDC Was Not Frozen
Contrast this with the April 1 exploit on Drift Protocol, which resulted in approximately $285 million in user losses.
Blockchain investigator ZachXBT highlighted that roughly $230 million in USDC was able to move freely during the incident, without being frozen in time.
ZachXBT unveiled a large complaince failure involving USDC. | Credit: ZachXBT X profile
This discrepancy raises a critical question: Why was $3.29 million frozen quickly in Rhea, while hundreds of millions moved unimpeded in Drift?
Tether vs Circle: Why Response Times Differ in Crypto Exploits
The answer lies largely in Circle’s operational philosophy and legal constraints.
Circle typically requires formal legal process before freezing assets
This may include court orders or direct law enforcement requests
The company avoids unilateral intervention without clear legal backing
In fast-moving exploit scenarios, this creates a timing problem.
While attackers can bridge, swap, and obfuscate funds within minutes or hours, legal processes often take significantly longer. As a result, by the time intervention becomes possible, much of the capital may have already moved beyond recoverable channels.
ZachXBT’s broader allegations reinforce this pattern, pointing to over $420 million in compliance-related failures since 2022, including multiple cases where large USDC flows were not frozen in time.
Stablecoin Freezing Policies Compared: USDT vs USDC in Security Incidents
At the heart of the Rhea vs. Drift contrast is a fundamental tradeoff:
Neither approach is inherently “correct”—they reflect different priorities.
But in the context of exploits, speed often determines outcomes.
Tether’s Role in the Drift Recovery Plan and DeFi Crisis Management
The Drift incident also revealed another dimension of stablecoin influence.
Following the exploit, Tether didn’t just freeze funds elsewhere, it stepped in to support Drift’s recovery, contributing up to $127.5 million as part of a broader $150 million recovery plan.
This involvement included:
Stabilizing the platform’s relaunch
Supporting user recovery through revenue-linked mechanisms
Facilitating Drift’s transition from USDC to USDT as its settlement asset
This shift is significant.
It signals that stablecoin issuers are evolving from passive liquidity providers into active ecosystem stabilizers.
Oracle Vulnerabilities in DeFi: Lessons from the Rhea Finance Hack
While the stablecoin response dominates headlines, the underlying cause of the Rhea exploit remains critical: oracle design weaknesses.
Rhea held approximately 95% of NEAR’s $125 million TVL, making it a systemic component of the ecosystem. Its compromise highlights several ongoing risks:
Thin liquidity pools can be manipulated easily
Newly created markets may lack sufficient validation safeguards
Oracle dependencies create single points of failure
Why DeFi Security Is Still Fragmented Across Protocols and Infrastructure
Taken together, Rhea and Drift expose a broader issue: Crypto security is fragmented across protocols, infrastructure providers, and off-chain actors.
Each layer operates independently:
Protocols manage smart contract risk
Oracles supply external data
Stablecoin issuers control liquidity rails
Law enforcement handles legal enforcement
When these layers fail to coordinate in real time, attackers exploit the gaps.
What Crypto Users Should Learn from the Rhea and Drift Exploits
For users, these events reinforce several key takeaways:
Not all stablecoins behave the same in crisis scenarios.
Centralization can be a feature, not just a risk, when it comes to recovery.
Speed of response matters more than size of exploit.
The Drift incident and Rhea response highlight how stablecoins are evolving into core infrastructure layers that actively shape outcomes during crises.
Ultimately, the contrast between Rhea and Drift is not just about freezing funds.
It’s about trust.
Trust that protocols can withstand manipulation
Trust that infrastructure providers will act when needed
Trust that users won’t be left exposed in the aftermath
Tether’s actions position it as a more interventionist player, while Circle’s approach emphasizes procedural safeguards.
As DeFi matures, these differences will shape how capital flows and how users assess risk.
Because in crypto, the question is no longer just “Can funds be stolen?”
It’s increasingly: “Who can stop it? And how fast?”
The Rhea Finance exploit involved an attacker deploying fake token contracts and adding liquidity to newly created pools, which misled the protocol’s oracle system. This allowed the attacker to drain approximately $7.6 million in assets, including USDC, USDT, ZEC, and wrapped NEAR.
How did Tether freeze $3.29 million in USDT?
Tether froze the funds by using administrative controls embedded in the USDT smart contract. These controls allow Tether to blacklist specific wallet addresses and prevent further transfers, typically in coordination with law enforcement or when illicit activity is clearly identified.
Why can stablecoins like USDT and USDC be frozen?
Stablecoins such as USDT and USDC are centrally issued and include smart contract functions that allow issuers to freeze or blacklist funds. These features are designed to comply with regulatory requirements and to respond to hacks, fraud, or sanctions.
Why wasn’t USDC frozen during the Drift Protocol hack?
Circle, the issuer of USDC, generally requires formal legal authorization, such as a court order or law enforcement request—before freezing funds. This process can take time, allowing attackers to move funds before intervention occurs.
Disclaimer:
The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Giuseppe Ciccomascolo began his career as an investigative journalist in Italy, where he contributed to both local and national newspapers, focusing on various financial sectors.
Upon relocating to London, he worked as an analyst for Fitch's CapitalStructure and later as a Senior Reporter for Alliance News. In 2017, Giuseppe transitioned to covering cryptocurrency-related news, producing documentaries and articles on Bitcoin and other emerging digital currencies. He also played a pivotal role in establishing the academy for a cryptocurrency exchange website. Crypto remained his primary area of interest throughout his tenure as a writer for ThirdFloor.
Easy 
