Cross-chain lending protocol Radiant Capital suspended its lending and borrowing services on the Ethereum L2 solution Arbitrum protocol yesterday, following a $4.5 million exploit (about 1,900 ETH). At the time of the exploit, Radiant Capital had about $315 million in total value locked, according to DefiLlama, although this has since decreased to under $300 million.
Blockchain security firm Beosin identified the cause as a flash loan attack targeting a rounding error in the protocol's code, leading to a cumulative precision error.
Radiant Capital @RDNTCapital was under a flash loan attack with a loss of $4.5M.
— Beosin Alert (@BeosinAlert) January 3, 2024
Attacker: https://t.co/L7fXlF8VXP
The attacker manipulated the index parameter (which later served as a denominator) to become extremely large. The contract has a rounding issue in its… pic.twitter.com/8AdY7pjaKE
This vulnerability allowed the attacker to manipulate deposit and withdrawal processes.
"Since the index parameter was dramatically inflated, this precision error was also magnified, ultimately allowing the attacker to profit through repeated deposit() and withdraw() operations." - Beosin.
PeckShield had earlier highlighted the problem as a 'known rounding issue' present in the smart contracts of the Compound/Aave codebase. This can be specifically exploited during the activation phase of a new market in a lending protocol. The blockchain security firm reported that the attacker targeted a newly activated USDC market on Arbitrum, exploiting the market just six seconds after it went live.
This kind of attack underscores the risks inherent in using shared or forked codebases in the DeFi sector. While forking from established protocols like Aave and Compound allows for rapid deployment and development, it also means that any vulnerabilities in the original code can be passed on to the new platforms.
Today's hack on @RDNTCapital results in the loss of 1.9k eth (~$4.5m).
— PeckShield Inc. (@peckshield) January 2, 2024
The root cause is not new: It basically exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave). The exploitation also relies on a known rounding… https://t.co/XogWUVO3po pic.twitter.com/x5X9ql8AGA
Radiant Capital quickly ceased its lending and borrowing markets on the protocol in response to the incident and reassured its users that “no current funds are at risk.” The company promised a detailed analysis of the exploit and committed to resuming normal procedures once the investigation is complete.
Following the security breach, Radiant Capital stated there will be "no action taken" until Arbitrum markets are reactivated. The incident sparked a surge in fake Radiant Capital accounts on X, sharing phishing links and offering misleading 'assistance' to users.
The firm reached out to the hacker in a transaction, a common communication method between hackers and victims. Radiant Capital commended their skill in identifying the vulnerability and seemed to hope that the exploit was carried out without malicious intent.
"Hey, we wanted to reach out about the bug you exploited today. Well done on finding it! We're assuming you've did this exploit as a white or greyhat (for various reasons), so are looking to open up comms to sort out the next steps. Shoot us a message at RadiantBugNegotiation@radiant.capital so we can talk further. Looking forward to chatting soon"
The hacker has not yet responded, but we will continue to observe the situation closely. Radiant v2, launched about a year ago with a focus on being the decentralized protocol with the most competitive price-to-fee ratio, began operations on Ethereum in October 2023. It has amassed $445.1 million in investments and offers yields on a variety of assets including USDC, Tether (USDT), SavingsDAI (sDAI), Ethereum (ETH), wrapped stETH (wstETH), and Rocket Pool ETH (rETH).
