Radiant Capital halts arbitrage markets after $4.5 million flash loan attack
Cross-chain lending protocol Radiant Capital has suspended its lending and borrowing market on Arbitrum after reports of a $4.5 million exploit affecting one of its newly created USDC Coin (USDC) markets.
“Today we received a report of a newly created USDC market issue on Arbitrum,” Radiant added in a Jan. 3 post on X (formerly Twitter) that was later confirmed by Radiant developers and the wider cybersecurity community. .
Today, we received a report of a problem with a newly created domestic USDC market on Arbitrum. After confirmation by the Radiant developers and the wider Web 3 security community, the Radiant DAO Council has temporarily suspended lending/borrowing markets on arbitrage.
— Radiant Capital (@RDNTCapital) January 3, 2024
Blockchain security firm Beosin described the exploit as a flash credit attack — where the attacker used a “questionable issue” in the codebase, “which resulted in a cumulative error.”
This ultimately “allowed the attacker to profit by repeatedly depositing () and withdrawing operations,” he wrote on January 3 at X.
An earlier post from PeckShield on January 2 described the issue as being caused by a “known rounding issue” in the current Compound/Aave codebase.
“The root cause is not new: when a new market is activated in the credit market (from the famous Compound/Aave fork), it basically uses a time window,” he added.
Radiant Capital @RDNTCapital was under flash loan attack losing $4.5M.Striker: https://t.co/L7fXlF8VXP
The attacker makes the index parameter (which is later used as an identifier) too large. The contract is in… pic.twitter.com/8AdY7pjaKE
— Beosin Alert (@BeosinAlert) January 3, 2024
According to data from Arbitrum block explorer Arbiscanner, the exploiter was able to withdraw a total of $4.5 million in Ether (ETH) from the protocol.
Radiant has paused the credit and debt markets on arbitrage and assured investors that no additional funds are currently at risk. A detailed post-mortem has been promised and normal operations will be restored once the investigation is complete.
“As a reminder, no action can be taken until the markets are settled on arbitrage,” Radiant added.
Related: Orbit Bridge Hack Pushes December's Crypto Heist to Nearly $100M
Meanwhile, CryptoX has been flooded with fake Radiant Capital accounts posting phishing links to help users revoke approvals.
Radiant Capital's decentralized lending and borrowing protocol is a cross-chain functionality built using LayerZero technology. The protocol is currently locked in at a total cost of $315 million, Defillama said.
Magazine: Diffie's Billion Dollar Secret: Insiders Responsible for Hacking
