Radiant Capital halts Arbitrum markets after reported $4.5M flash loan attack

Cross-chain lending protocol Radiant Capital has paused its lending and borrowing markets on Arbitrum after receiving reports of a $4.5 million exploit affecting one of its newly created USDC Coin (USDC) markets.

“Today, we received a report of an issue with the newly created native USDC market on Arbitrum,” said Radiant in a Jan. 3 post on X (formerly Twitter). Later in the day, Radiant confirmed it they were subject to a “flash-loan based exploit.”

"The emergency administrative controls were invoked by the Radiant DAO Council to pause all markets on Arbitrum to mitigate any further damage," it added. 

Radiant Capital was subject to a flash-loan-based exploit upon launching the new native USDC market on Arbitrum on January 2nd at 06:53:29 PM +UTC, leading to the protocol accruing bad debt in the WETH market totaling about 1.3% of total protocol TVL. 1/10

— Radiant Capital (@RDNTCapital) January 3, 2024

Blockchain security firm Beosin described the exploit as a flash loan attack — with the attacker exploiting a “rounding issue” in the codebase, “which led to a cumulative precision error.”

This ultimately allowed the “attacker to profit through repeated deposit() and withdraw() operations,” it wrote in a Jan. 3 post on X.

An earlier Jan. 2 post from PeckShield also identified the issue as caused by a “known rounding issue” in the current Compound/Aave codebase.

“The root cause is not new: It basically exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave),” it added.

Radiant Capital @RDNTCapital was under a flash loan attack with a loss of $4.5M.
Attacker: https://t.co/L7fXlF8VXP

The attacker manipulated the index parameter (which later served as a denominator) to become extremely large. The contract has a rounding issue in its… pic.twitter.com/8AdY7pjaKE

— Beosin Alert (@BeosinAlert) January 3, 2024

The exploiter managed to siphon a total of $4.5 million in Ether ( ETH ) from the protocol, according to data from Arbitrum block explorer Arbiscanner.

Radiant has since paused lending and borrowing markets on Arbitrum and reassured investors that no additional funds are currently at risk. It promised a detailed postmortem and pledged to restore normal operations once the investigation was completed.

“As a reminder, no action can be taken until the markets are unpaused on Arbitrum,” Radiant added.

Related: Orbit Bridge hack pushes December crypto theft to nearly $100M

Meanwhile, Crypto X has already been flooded with fake Radiant Capital accounts posting phishing links purporting to help users revoke approvals.

Radiant Capital is a decentralized borrowing and lending protocol with cross-chain functionality built using LayerZero technology. The protocol currently has around $315 million in total value locked, according to DefiLlama.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks

Update (Jan 4, 4:19 am UTC): This article has been updated to include the latest X post from Radiant Capital confirming the type of attack.