Cointime

Cointime

Download App
iOS & Android

Radiant Protocol on Arbitrum Suffers Flashloan Attack, Resulting in $4.5M Loss: In-Depth Analysis Reveals Exploit Details

From MetaTrust Labs by Daniel Tan

TL;DR

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

Radiant Protocol

Radiant is a decentralized, non-custodial lending protocol, on multiple chains, including Arbitrum, BNBChain, and Ethereum.

Radiant protocol’s total value locked still has $313M after the attack, due to their rapid pause of protocol after the attack, stopped the further loss.

Timeline

Transactions

0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d

0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

Asset Loss

3 attacking transactions resulted in a total loss of 1.9K $ETH, worth $4.5M. At the time of writing, the 1.9K $ETH is still held in the hacker’s wallet(0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).

Attacker

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Attacking Contract

0x39519c027b503f40867548fb0c890b11728faa8f

Victim Contract

Radiant: Lending Pool(0xf4b1486dd74d07706052a33d31d7c0aafd0659e1)

rUSDCn(0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55).

What Happened Before the Attack

15 seconds before the attack, a new native USDC market on Arbitrum was created by the client.

The hacker is the first one who interacts with the new USDC market.

Attacking Steps

Take the first attacking transaction, 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b, as an example.

  1. Borrow 3M $USDC from AAVE with the flashloan function;
  2. Deposit 2M $USDC into Radiant Pool, with liquidityIndex as 1e27

3. Do a $2M flashloan on Radiant Lending Pool, to inflate the liquidityIndex to 1.8e36.

4. Repeatedly execute step 3, 151 times, to inflate the liauidityIndex to 2.7e38, which is 270000000000 times of its initial value.

5. Borrow 90.6 $ETH, worth $215K, from Radiant Pool, which is the profit of this attack;

6. Create a new contract (0xd8b591);

7. Approve an unlimited allowance of USDC to the new contract, transfer 543K $USDC to the new contract, and execute the below steps with the new contract;

8. Deposit 543K $USDC to the Radiant pool, to mint 2 wei tokens because amountScaled is 2, 543600000002*1e27/271800000000999999999999998631966035920=2;

9. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1, 407700000000*1e27/271800000000999999999999998631966035920=1.5 and the mathematical rounding issue. Note that amountScaled is a uint256 type variable that will turn 1.5 into 1.

10. Deposit 271K $USDC to the Radiant pool, mint 1 wei token because the amountScaled as 1, 271800000001*1e27/271800000000999999999999998631966035920=1 ;

11. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1.

12. Repeat steps 10 and 11 as many as 18 times, and drain all the $USDC, which was deposited by the hacker before, from the new market.

13. Swap 2 $WETH for 4.73K $USDC, swap 3.23K $USDC for 1.36 $WETH.

14. Repay flashloan from AAVE with 3.5m $USDC as principal and 1.5K $USDC as a fee.

15. Get a profit of 90 $ETH.

Root Cause

The root causes are that the hacker is the first one who interacts with the newly created native USDC market, inflates liquidityIndex with the floanloan feature of Radiant protocol, and uses the mathematical rounding issue to steal collateral from the lending pool.

Key Code

About MetaTrust Labs

MetaTrust Labs is a leading provider of Web3 AI security tools and code auditing services incubated at Nanyang Technological University, Singapore. We provide advanced AI solutions that empower developers and project stakeholders to protect Web3 applications and smart contracts. At MetaTrust Labs, we are committed to protecting the Web3 space so that builders can innovate with confidence and reliability.

hacker Radiant Capital Vulnerability
Comments

All Comments

Recommended for you

  • CointimeSG ·

    Bitcoin Strategic Reserve Could Happen. Why Not Dogecoin, Says Co-Founder

    Dogecoin co-creator Billy Markus floated the idea of a U.S. DOGE strategic reserve amid its latest boom. Could it follow Bitcoin's lead?

    Bitcoin Strategic Reserve Could Happen. Why Not Dogecoin, Says Co-Founder

  • U.S. 30-year Treasury yield rises to 4.68%

    30-year US Treasury bond yield rose to 4.68%, the highest level since May 31.

  • CointimeSG ·

    Spot bitcoin ETF options are one step closer to going live

    A new staff advisory from the CFTC represents another step towards options trading going live on U.S.-based spot Bitcoin ETFs, according to analysts.

    Spot bitcoin ETF options are one step closer to going live

  • NANO LABS announces Bitcoin as its strategic reserve asset

    Nano Labs announced that it will use Bitcoin as its strategic reserve asset.

  • Revolut Launches Staking Feature for Six Cryptocurrencies, Allowing Users to Earn Rewards

    Revolut, a prominent digital bank, has introduced a staking feature that enables users to temporarily lock funds to secure a cryptocurrency's network and earn rewards. The staking process is simple and easy to use, and currently supports six cryptocurrencies: Ethereum, Solana, Polkadot, Cardano, Tezos, and Polygon. The rewards for staking vary depending on the amount of crypto staked and the chosen cryptocurrency, with APYs ranging from 2.09% to 12.30%. However, some cryptocurrencies have lock-up periods before users can access their balances. Revolut users can stake Ethereum and receive their rewards daily after a waiting period of approximately 2 days, but must wait 10 days to access their balance once unstaked. Staking Solana on Revolut offers an APY of 5.25%, with rewards paid every 3 days after an initial waiting period of 3 days. Staking Polygon on Revolut offers an APY of up to 3.74%, with rewards paid daily after a 1-day warm-up period. Revolut staking is available in select countries within the EEA, with fees ranging from 15% to 35% depending on the token and the amount staked.

  • Ethereum Struggles with Institutional Adoption, Losing Ground to Bitcoin

    Ethereum's eight-year support trend against Bitcoin has been broken, causing concern for its future. Tuur Demeester, founder of Adamant Capital, has described Ethereum as "dying a slow death" due to this development. The slow adoption by institutions is being blamed for Ethereum's setback, while Bitcoin continues to dominate. This could have implications for Ethereum's position as an asset class. Despite this, Bitcoin's price remains stable, while altcoins show mixed performance. The disparity between Bitcoin and Ethereum's adoption among institutional investors is due to Bitcoin's simpler use case and fixed supply, as well as its higher trading volumes in ETFs compared to Ethereum. Ethereum's scalability challenges and regulatory scrutiny, particularly regarding its transition to a proof-of-stake model, are also contributing factors. Institutional endorsement of Bitcoin ETFs has outpaced that of Ethereum, with major asset managers like Fidelity and Morgan Stanley adding Bitcoin ETFs to their offerings. Experts suggest that Ethereum needs to address scalability issues and redefine its role as a technology-driven platform to regain its competitive edge. Until then, institutional investment appears to favor Bitcoin.

  • Morgan Stanley expects US interest rate cuts of 75 basis points in the first half of 2025

    Morgan Stanley predicts that by mid-2025, the yield on 10-year US Treasury bonds will fall to 3.75%, and by the end of next year it will fall to slightly above 3.50%. It is expected that the US will cut interest rates by 75 basis points in the first half of 2025.

  • Vitalik: Hope to see more EVM Rollups to improve data efficiency

    Vitalik Buterin, co-founder of Ethereum, wrote on the X platform that part of the L2 expansion is for Ethereum to increase its blob capacity, and the other part is for Rollups to become more data-efficient. It is great to see Starknet rise to the challenge and hope to see more EVM Rollups improve data efficiency. Earlier, Starknet announced the release of the solution Starknet v0.13.3, which aims to meet the stable growth of Ethereum blob processing needs.

  • Musk: I still hold a lot of Dogecoin, and SpaceX holds a lot of Bitcoin

    On November 18th, Dogecoin UI designer DogeDesigner shared an audio clip of Musk saying "I still hold a lot of Dogecoin, and SpaceX holds a lot of Bitcoin."

  • Rapper 50 Cent claims that his X account was hacked, and the hacker promoted cryptocurrency and defrauded about $300 million

    On June 22nd,famous rapper Curtis James Jackson III (stage name "50 Cent") claimed that his former Twitter account and website were hacked, resulting in hackers promoting a cryptocurrency scam and defrauding victims of $30 million.The hackers created a new cryptocurrency called "GUNIT" and used 50 Cent's large following (approximately 12.9 million fans) to attract more investors and drive up the price, then drained its value, causing the token price to plummet to $0.00016. On June 21st, 50 Cent posted on Instagram to his 32.8 million fans about the hack and admitted that a large amount of funds from victims had been lost from the project. "Twitter quickly locked my account. Whoever did this, got $30 million within 30 minutes," 50 Cent claimed, stating that he had no involvement with this cryptocurrency scam.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company