Radiant Capital’s flash loan attack leads to $4.5 million in losses.

Cross-chain lending protocol Radiant Capital suffered a loss of nearly $4.5 million following the loss of 1,900 ETH, according to blockchain security and analytics firm PeckShield Inc.

Radiant Capital operates as a decentralized lending and borrowing protocol that features cross-chain functionality built using LayerZero technology. According to the latest data from Defillama, the protocol has a total value of around 315 million dollars.

Radiant Capital Investigates Flash Loan Attack

PeckShield described the Radiant Capital phenomenon as using a six-second time window after the opening of a new USDC market in its lending system.

The attacker capitalized on a “rotation issue” in the codebase, which led to cumulative precision errors. This loophole allowed them to profit by making frequent deposits and withdrawals, as described in the post on X.

Today's hack at @RDNTCapital resulted in a loss of 1.9k eth (~$4.5m).

The root cause is not new: when a new market is activated in the lending market (from the famous Compound/Ave Fork) it essentially uses a time window. The exploit also depends on the known round… pic.twitter.com/x5X9ql8AGA

– PeckShield Inc. (@peckshield) January 2, 2024

Radiant Capital mentioned that the Council of Radiant DAO has temporarily suspended the lending and credit markets on Arbitrum to resolve the issue on X.

The protocol acknowledged that the incident arose “in connection with a newly created domestic USDC market on arbitrage.” It assures users that a postmortem report will be published after the problem is resolved.

Today, we received a report of a problem with a newly created domestic USDC market on Arbitrum. After confirmation by the Radiant developers and the wider Web 3 security community, the Radiant DAO Council has temporarily suspended lending/borrowing markets on arbitrage.

— Radiant Capital (@RDNTCapital) January 3, 2024

Radiant Capital Post emphasized that the current funds are not at risk and assured users that operations will return to normal after the investigation is completed.

However, in this case, fake Radiant Capital accounts on X have proliferated, distributing phishing links pretending to help users revoke approvals, creating additional challenges to manage the aftermath of the security breach.

Flash loan attacks are on the rise

Flash loan attacks continue to pose security challenges in various blockchain ecosystems. In the year On October 12, 2023, Diffie Protocol's Platypus Finance suffered a flash credit attack that resulted in over $2 million in losses.

CertiK's subsequent investigation into the incident revealed that two malicious entities stole approximately $1.3 million worth of staked AVAX (WAVAX) and approximately $913,000 worth of liquid staked AVAX (sAVAX). The criminals specifically targeted the AVAX-sAVAX liquid pool.

On BNB Chain, on October 11, 2023, an attacker using a mined extractable value (MEV) bot made a significant arbitrage profit of $1.575 million. Earlier, in June of the same year, a decentralized finance (DeFi) protocol called Sturdy Finance suffered several hacks, resulting in the loss of 442 ETH worth $800,000.