Radiant Capital Suspends Arbitrum Markets After Flash Loan Attack

In response to allegations of a $4.5 million attack affecting one of its newly created USDC Coin (USDC) markets, Radiant Capital has suspended its lending and borrowing markets on Arbitrum.

“Today, we received a report of an issue with the newly created native USDC market on Arbitrum,” Radiant stated in a post on X (formerly Twitter) dated January 3. As the post continued, Radiant developers and the broader cybersecurity community confirmed the report.

Today, we received a report of an issue with the newly created native USDC market on Arbitrum. After validation by Radiant developers and the wider Web 3 security community, the Radiant DAO Council paused lending/borrowing markets on Arbitrum temporarily while this is…

— Radiant Capital (@RDNTCapital) January 3, 2024

Beosin, a firm specializing in blockchain security, referred to the flaw as a “rounding error” in the codebase, “which resulted in a cumulative precision error,” thereby committing a flash loan attack.

This ultimately enabled the “assailant to generate profits via recurrent deposits and withdrawals,” the source wrote in a post on X on January 3.

PeckShield previously characterized the issue as the result of a “known rounding issue” in the existing Compound/Aave codebase in a January 2 post.

It further stated, “The underlying cause is not novel: It exploits a time window during which a lending market's (a forked version of the popular Compound/Aave) market becomes active.”

Radiant Capital @RDNTCapital was under a flash loan attack with a loss of $4.5M.
Attacker: https://t.co/L7fXlF8VXP

The attacker manipulated the index parameter (which later served as a denominator) to become extremely large. The contract has a rounding issue in its… pic.twitter.com/8AdY7pjaKE

— Beosin Alert (@BeosinAlert) January 3, 2024

Data from Arbitrum block explorer Arbiscanner indicates that the perpetrator successfully stole $4.5 million worth of Ether from the protocol.

Subsequently, Radiant has suspended lending and borrowing activities on Arbitrum, assuring investors that no further funds are available at this time at risk. It secured regular operations following the conclusion of the investigation and guaranteed a comprehensive postmortem.

Radiant added, “As a reminder until the markets resume trading on Arbitrum, no action can be taken.”

In the interim, fraudulent Radiant Capital accounts have already inundated Crypto X with deceptive links to assist users in rescinding approvals.

Radiant Capital is a decentralized lending and borrowing protocol that utilizes LayerZero technology to enable cross-chain functionality. According to DefiLlama, the protocol presently has an estimated $300,15,000,000 locked value.