Radiant Capital halts Arbitrum markets after reported $4.5M flash loan attack

Cross-chain lending protocol Radiant Capital has paused its lending and borrowing markets on Arbitrum after receiving reports of a $4.5 million exploit affecting one of its newly created USDC Coin (USDC) markets.

“Today, we received a report of an issue with the newly created native USDC market on Arbitrum,” said Radiant in a Jan. 3 post on X (formerly Twitter), which they added was later validated by Radiant developers and the wider cybersecurity community.

Today, we received a report of an issue with the newly created native USDC market on Arbitrum. After validation by Radiant developers and the wider Web 3 security community, the Radiant DAO Council paused lending/borrowing markets on Arbitrum temporarily while this is…

— Radiant Capital (@RDNTCapital) January 3, 2024

Blockchain security firm Beosin described the exploit as a flash loan attack — with the attacker exploiting a “rounding issue” in the codebase, “which led to a cumulative precision error.”

This ultimately allowed the “attacker to profit through repeated deposit() and withdraw() operations,” it wrote in a Jan. 3 post on X.

An earlier Jan. 2 post from PeckShield also identified the issue as caused by a “known rounding issue” in the current Compound/Aave codebase.

“The root cause is not new: It basically exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave),” it added.

Radiant Capital @RDNTCapital was under a flash loan attack with a loss of $4.5M.
Attacker: https://t.co/L7fXlF8VXP

The attacker manipulated the index parameter (which later served as a denominator) to become extremely large. The contract has a rounding issue in its… pic.twitter.com/8AdY7pjaKE

— Beosin Alert (@BeosinAlert) January 3, 2024

The exploiter managed to siphon a total of $4.5 million in Ether (ETH) from the protocol, according to data from Arbitrum block explorer Arbiscanner.

Radiant has since paused lending and borrowing markets on Arbitrum, and reassured investors that no additional funds were currently at risk. It promised a detailed postmortem, and pledged to restore normal operations once the investigation was completed.

“As a reminder, no action can be taken until the markets are unpaused on Arbitrum,” Radiant added.

Related: Orbit Bridge hack pushes December crypto theft to nearly $100M

Meanwhile, Crypto X has already been flooded with fake Radiant Capital accounts posting phishing links purporting to help users revoke approvals.

Radiant Capital is a decentralized borrowing and lending protocol with cross-chain functionality built using LayerZero technology. The protocol currently has around $315 million in total value locked, according to DefiLlama.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks