Radiant Capital Halts Markets After $4.5M Exploit on Arbitrum

The protocol for cross-chain lending As a result of receiving reports of a $4.5 million exploit that affected one of its freshly minted USDC Coin (USDC) markets, Radiant Capital has temporarily halted its lending and borrowing markets on Arbitrum.

Radiant published a message on January 3 on X (formerly known as Twitter), stating, “Today, we received a report of an issue with the newly created native USDC market on Arbitrum.” Radiant developers and the larger cybersecurity community later confirmed the authenticity of the claim.

Beosin, a company that specializes in blockchain security, referred to the vulnerability as a flash loan attack. The attacker took advantage of a “rounding issue” in the coding, which “led to a cumulative precision error.”

As stated in a post published on X on January 3, the “attacker was able to profit through repeated deposit() and withdraw() operations.”

On January 2nd, PeckShield previously identified the problem as a “known rounding issue” in the Compound/Aave codebase.

An additional statement stated that “the root cause is not new, it exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave)”. Information obtained via the Arbitrum block explorer Arbiscanner reveals that the exploiter successfully stole a total of $4.5 million worth of Ether from the protocol.

Since then, Radiant has put a halt to the loan and borrowing markets on Arbitrum, assuring investors that these markets are now not at risk of losing any additional funds.

In addition to committing to restoring normal operations after the investigation was over, it agreed to conduct a comprehensive postmortem examination. The company further stated that no action can be taken until the markets are unpaused on Arbitrum, as a reminder.

Phony Radiant Capital accounts that have posted phishing links claiming to assist users in revoking their approvals have already inundated Crypto X. Radiant Capital, a decentralized protocol for borrowing and lending that also features cross-chain capabilities, utilized LayerZero technology in its development.

A fake Radiant Capital account attempts to trick unsuspecting users into clicking phishing links. Source: X

Based on the information provided by DefiLlama, the protocol now has a total locked value of approximately $315 million.