Radiant Capital Suffers $4.5M Flash Loan Exploit, Suspends Operations

In a gripping turn of events, Radiant Capital, a leading cross-chain lending protocol, has momentarily frozen its lending and borrowing avenues on the Arbitrum network. This decision comes hot on the heels of a meticulously orchestrated exploit, draining a staggering $4.5 million (equivalent to 2337 ETH) from its recently inaugurated USDC Coin (USDC) markets.

Details of the Flash Loan Attack

Radiant’s tech team, working alongside cybersecurity experts, identified the breach as a flash loan attack. The issue stemmed from a subtle rounding discrepancy in the protocol’s code. Beosin, a leading blockchain security firm, highlighted how this rounding problem led to an unexpected precision error.

Exploiting this error, the attacker adjusted an index parameter. This tweak caused a sharp inflation and resulted in errors during deposit() and withdraw() operations. This flaw gave the attacker a brief yet significant opportunity to gain substantial profits.

Connecting the Dots: Compound/Aave’s Role

PeckShield, an analytics firm, found a connection between this exploit and a vulnerability in the Compound/Aave codebase. Notably, the USDC market was targeted a mere six seconds after its launch. This revelation emphasizes the need for enhanced caution when introducing new markets.

Radiant Capital Jumps into Action

In response, Radiant Capital has suspended its Arbitrum activities. The platform assures users that the breach has not compromised additional funds. A thorough investigation is underway, and operations will resume once completed. Radiant Capital, known for its cross-blockchain asset trading, is now closely observed by the crypto community.

A (Harsh) Lesson for DeFi

This incident highlights the challenges decentralized finance (DeFi) platforms face in ensuring security. As the crypto world grows, such events emphasize the need for robust defenses against sophisticated attacks. The industry will be keenly watching Radiant Capital’s next steps as it navigates this security breach.