A sophisticated oracle manipulation attack on the NEAR network has resulted in the loss of approximately $18.4 million, marking one of the largest decentralized finance exploits of March 2026. The attack, which blockchain security firm PeckShield tracked in real time, involved an attacker who spent two full days preparing a sprawling infrastructure of 423 wallets and eight fake liquidity pools before executing the price manipulation. The incident highlights the persistent vulnerabilities in oracle-dependent protocols, even as the broader crypto market grapples with heightened security concerns. Bitcoin trades at approximately $69,927 and Ethereum at $2,037 as the community processes the implications of yet another major exploit.
The Exploit Mechanics
The attacker’s preparation was methodical and patient. Over a 48-hour period preceding the attack, the bad actor systematically created 423 separate wallet addresses on the NEAR network. Each wallet received carefully calibrated amounts of tokens, distributed across multiple liquidity pools that the attacker had deployed specifically for the operation.
These eight fake liquidity pools were designed to create artificial pricing data that NEAR-based protocols relied upon for their oracle feeds. By controlling both the supply and demand sides of these pools, the attacker could manipulate the reported price of assets far beyond their actual market value. When the manipulated oracle data was fed into lending and trading protocols, it triggered a cascade of liquidations and unauthorized withdrawals.
The core vulnerability exploited was a classic oracle manipulation vector, but executed at unprecedented scale. Rather than targeting a single protocol, the attacker created a web of interconnected pools that collectively distorted price feeds across multiple NEAR DeFi applications simultaneously. This multi-protocol approach amplified the damage and made detection more difficult during the initial phases of the attack.
Affected Systems
Several NEAR-based DeFi protocols were impacted by the corrupted oracle data. Lending platforms experienced wrongful liquidations as collateral values were artificially inflated and then crashed. Automated market makers saw their reserves drained through arbitrage opportunities created by the price discrepancies between the manipulated pools and legitimate markets.
Tether, the issuer of USDT, responded swiftly by freezing approximately $3.29 million of the stolen funds that had been converted to USDT on various exchanges. This action prevented a portion of the loot from being further laundered, though the majority of the $18.4 million remains unaccounted for. The rapid response by Tether demonstrates the growing capability of stablecoin issuers to assist in crisis mitigation, even if it cannot fully reverse the damage.
The attack occurred during a period of heightened market volatility, with Bitcoin oscillating between $67,000 and $72,400 and the Crypto Fear and Greed Index registering Extreme Fear at 18 out of 100. This market stress may have contributed to delayed detection, as unusual transaction patterns blended with already elevated trading activity.
The Mitigation Strategy
In the aftermath of the exploit, several mitigation measures have been implemented or proposed. NEAR protocol developers have initiated a review of all oracle integrations, with particular focus on liquidity thresholds that should trigger alerts when new pools are created at scale. The 423-wallet deployment pattern should have raised red flags earlier, and network-wide monitoring systems are being upgraded to detect similar preparation patterns.
Decentralized oracle networks are also reassessing their data aggregation methodologies. The attack exposed the danger of relying on thin liquidity pools as price sources, especially when those pools can be created permissionlessly. New proposals include minimum liquidity requirements, time-weighted average price calculations over longer windows, and cross-referencing with external price feeds from established centralized exchanges.
PeckShield, which has been tracking crypto exploits throughout March 2026, reports that total losses across approximately 20 incidents this month have reached roughly $52 million, representing a 96 percent increase compared to the previous month. The NEAR oracle manipulation accounts for the single largest portion of these losses.
Lessons Learned
The NEAR exploit reinforces several critical lessons for the DeFi ecosystem. First, oracle security remains a fundamental weak point that no amount of smart contract auditing can fully address. The smart contracts themselves may be flawless, but if the data they receive is corrupted, the outcomes will be catastrophic regardless.
Second, the scale of preparation, involving hundreds of wallets and multiple fake pools, demonstrates that attackers are becoming increasingly sophisticated. Simple monitoring solutions that track individual wallet behavior are insufficient against coordinated, multi-address attacks. Protocol developers must implement system-wide pattern detection that can identify suspicious clusters of activity before they reach critical mass.
Third, the incident underscores the importance of circuit breakers and emergency pause mechanisms. Protocols that had such safeguards in place were able to limit their exposure, while those without them suffered maximum losses.
User Action Required
Users who interact with NEAR-based DeFi protocols should take immediate steps to protect their assets. Review any active positions on lending platforms and assess whether they may have been affected by wrongful liquidations. If your collateral was liquidated during the attack window, document the transactions and contact the affected protocol’s support team, as several projects have announced reimbursement plans.
For users across all chains, this incident serves as a reminder to diversify across multiple protocols and chains rather than concentrating funds in a single ecosystem. Enable transaction notifications, set up alerts for unusual activity in your wallets, and consider using hardware wallets for long-term storage rather than keeping funds in hot wallets connected to DeFi protocols. As March 2026 has already demonstrated, the threat landscape continues to evolve rapidly, and proactive security measures remain the best defense against emerging attack vectors.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
423 wallets over 48 hours and nobody flagged this? where was the on-chain monitoring for near?
423 wallets and zero alerts. the NEAR ecosystem monitoring tools are clearly not where they need to be for defi at this scale
8 fake liquidity pools to manipulate the price feed. classic oracle attack vector that keeps repeating because protocols keep using the same twap design
Hana the 8 pool setup is textbook. create thin liquidity, manipulate price, extract. same play every time because custom oracles keep getting rolled instead of battle tested ones
18.4m gone because someone couldnt be bothered to use chainlink or pyth. how many times does this need to happen
^ exactly. the cost of integrating a proper oracle is trivial compared to losing 18 million. pure negligence from the protocol team
8 fake pools and a twap oracle. the exploit blueprint has been public since bZx in 2020. protocols keep copy pasting the same vulnerable design