Radiant Capital Flash Loan Attack Leads to $4.5 Million Loss

Cross-chain lending protocol Radiant Capital has suffered a hack resulting in the loss of 1,900 ETH, equivalent to approximately $4.5 million, according to blockchain security and analytics firm PeckShield Inc.

Radiant Capital operates as a decentralized borrowing and lending protocol featuring cross-chain functionality built using LayerZero technology. As of the latest data from DefiLlama, the protocol has around $315 million in total value locked.

Radiant Capital Investigates Flash Loan Attack

PeckShield explained the Radiant Capital incident as the hacker exploiting a time window just six seconds after the activation of a new USDC market in the lending system.

The attacker capitalized on a “rounding issue” in the codebase, leading to cumulative precision errors. This loophole allowed them to profit through repeated deposit and withdrawal operations, as stated in a post on X.

Today’s hack on @RDNTCapital results in the loss of 1.9k eth (~$4.5m).

The root cause is not new: It basically exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave). The exploitation also relies on a known rounding… https://t.co/XogWUVO3po pic.twitter.com/x5X9ql8AGA

— PeckShield Inc. (@peckshield) January 2, 2024

Radiant Capital, addressing the issue on X, mentioned that the Radiant DAO Council has temporarily suspended lending and borrowing markets on Arbitrum.

The protocol has acknowledged that the incident is a result of an “issue with the newly created native USDC market on Arbitrum.” It assures users that a postmortem report will be published once the problem is resolved.

Today, we received a report of an issue with the newly created native USDC market on Arbitrum. After validation by Radiant developers and the wider Web 3 security community, the Radiant DAO Council paused lending/borrowing markets on Arbitrum temporarily while this is…

— Radiant Capital (@RDNTCapital) January 3, 2024

The Radiant Capital post emphasized that current funds were not at risk and assured users that operations would return to normalcy after the investigation concluded.

However, amidst this situation, fake Radiant Capital accounts on X have been rampant, disseminating phishing links under the guise of aiding users in revoking approvals, creating additional challenges in managing the aftermath of the security breach.

Flash Loan Attacks Become Rampant

Flash loan attacks continue to pose security challenges in various blockchain ecosystems. On October 12, 2023, DeFi Protocol Platypus Finance suffered a flash loan attack that led to a loss of more than $2 million.

CertiK’s subsequent investigation into the incident revealed that two malicious entities stole approximately $1.3 million worth of wrapped AVAX (WAVAX) and around $913,000 in liquid-staked AVAX (sAVAX). The perpetrators specifically targeted the AVAX-sAVAX liquidity pool.

In the BNB Chain, on October 11, 2023, an attacker utilizing a Miner Extractable Value (MEV) bot executed a significant arbitrage profit amounting to $1.575 million. Earlier, in June of the same year, a decentralized finance (DeFi) protocol named Sturdy Finance experienced multiple hacks, resulting in the loss of 442 ETH worth $800,000.