Cointime

Cointime

Download App
iOS & Android

Radiant Protocol on Arbitrum Suffers Flashloan Attack, Resulting in $4.5M Loss: In-Depth Analysis Reveals Exploit Details

Cointime精选

From MetaTrust Labs by Daniel Tan

TL;DR

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

Radiant Protocol

Radiant is a decentralized, non-custodial lending protocol, on multiple chains, including Arbitrum, BNBChain, and Ethereum.

Radiant protocol’s total value locked still has $313M after the attack, due to their rapid pause of protocol after the attack, stopped the further loss.

Timeline

Transactions

0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d

0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

Asset Loss

3 attacking transactions resulted in a total loss of 1.9K $ETH, worth $4.5M. At the time of writing, the 1.9K $ETH is still held in the hacker’s wallet(0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).

Attacker

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Attacking Contract

0x39519c027b503f40867548fb0c890b11728faa8f

Victim Contract

Radiant: Lending Pool(0xf4b1486dd74d07706052a33d31d7c0aafd0659e1)

rUSDCn(0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55).

What Happened Before the Attack

15 seconds before the attack, a new native USDC market on Arbitrum was created by the client.

The hacker is the first one who interacts with the new USDC market.

Attacking Steps

Take the first attacking transaction, 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b, as an example.

  1. Borrow 3M $USDC from AAVE with the flashloan function;
  2. Deposit 2M $USDC into Radiant Pool, with liquidityIndex as 1e27

3. Do a $2M flashloan on Radiant Lending Pool, to inflate the liquidityIndex to 1.8e36.

4. Repeatedly execute step 3, 151 times, to inflate the liauidityIndex to 2.7e38, which is 270000000000 times of its initial value.

5. Borrow 90.6 $ETH, worth $215K, from Radiant Pool, which is the profit of this attack;

6. Create a new contract (0xd8b591);

7. Approve an unlimited allowance of USDC to the new contract, transfer 543K $USDC to the new contract, and execute the below steps with the new contract;

8. Deposit 543K $USDC to the Radiant pool, to mint 2 wei tokens because amountScaled is 2, 543600000002*1e27/271800000000999999999999998631966035920=2;

9. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1, 407700000000*1e27/271800000000999999999999998631966035920=1.5 and the mathematical rounding issue. Note that amountScaled is a uint256 type variable that will turn 1.5 into 1.

10. Deposit 271K $USDC to the Radiant pool, mint 1 wei token because the amountScaled as 1, 271800000001*1e27/271800000000999999999999998631966035920=1 ;

11. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1.

12. Repeat steps 10 and 11 as many as 18 times, and drain all the $USDC, which was deposited by the hacker before, from the new market.

13. Swap 2 $WETH for 4.73K $USDC, swap 3.23K $USDC for 1.36 $WETH.

14. Repay flashloan from AAVE with 3.5m $USDC as principal and 1.5K $USDC as a fee.

15. Get a profit of 90 $ETH.

Root Cause

The root causes are that the hacker is the first one who interacts with the newly created native USDC market, inflates liquidityIndex with the floanloan feature of Radiant protocol, and uses the mathematical rounding issue to steal collateral from the lending pool.

Key Code

About MetaTrust Labs

MetaTrust Labs is a leading provider of Web3 AI security tools and code auditing services incubated at Nanyang Technological University, Singapore. We provide advanced AI solutions that empower developers and project stakeholders to protect Web3 applications and smart contracts. At MetaTrust Labs, we are committed to protecting the Web3 space so that builders can innovate with confidence and reliability.

hacker Radiant Capital Vulnerability
Comments

All Comments

Recommended for you

  • VINCERO ·

    Maldives to build $9 billion crypto hub to attract investment: Report

    Government officials hope the move can attract foreign investment into the Maldives, diversify its revenue streams, and alleviate its debt.

    Maldives to build $9 billion crypto hub to attract investment: Report
  • Martin Young ·

    Hackers use New York Post’s X account to send scam DMs, users report

    Crypto users have reported receiving unsolicited direct messages from the New York Post’s official X account offering an interview.

    Hackers use New York Post’s X account to send scam DMs, users report

  • Trump: I don't expect a third term as president

    President Trump said, "I do not look forward to a third term as president."

  • BTC falls below $95,500

    the market shows that BTC has fallen below $95,500, now trading at $95,494.83, with a 24-hour decline of 0.63%. The market fluctuates greatly, so please be prepared for risk control.

  • BTC breaks through $97,000

    the market shows BTC breaking through $97,000, now trading at $97,011.43, with a 24-hour increase of 0.85%. The market is volatile, please manage risks.

  • The JuCoin ecological project JuChain has been launched on the main network, and the public chain co construction summit will be held. The ecological debut protocol is Butterfly

    Cointime News:JuCoin's self-developed public chain JuChain has been launched on the main network. The JuChain Public Chain Co construction Summit initiated by JuCoin will be held on May 15, 2025 in Bangkok, Thailand. The conference will release the first ecological agreement--

  • BTC breaks through $96,000

    the market shows that BTC has broken through $96,000 and is now trading at $96,014.98, with a 24-hour increase of 1.15%. The market fluctuates greatly, so please manage your risks well.

  • JuCoin CEO: UX design in the encryption industry needs to pay attention to user emotional details to enhance user experience

    Cointime News: JuCoin CEO Sammi Li delivered a keynote speech at the TOKEN2049 conference, analyzing the current challenges in user experience (UX) design in the cryptocurrency industry. Sammi Li believes that the existing encryption product experience fails to effectively empathize with users, often leading to usage anxiety, which hinders the large-scale adoption of Web3. Combining her rich experience in the luxury goods industry, she emphasizes that building trust relies on paying attention to user emotions and critical moments of interaction, and constructing it through details rather than simply technical presentations. JuCoin is applying these user centered design principles to its Web3 ecosystem construction, aiming to lower user barriers and enhance user experience by optimizing JuChain and related product designs. It calls on the encryption industry to think together and place user experience at a more core position.

  • Xiongan New Area: Combining blockchain with digital RMB to launch "Digital Currency Loan" product, with payment amount of nearly 100 million yuan

    On January 11th, according to the Xiong'an Public Account, the digital RMB pilot in Xiong'an New Area has achieved new results. The first digital RMB tax payment transaction in the financial field has been completed, and self-service tax terminals have been developed. The "blockchain + digital RMB" technology is applied to government procurement management, increasing the proportion of advance payment and landing multiple applications to solve corporate problems. In 2024, the People's Bank of China Xiong'an New Area Branch, together with the Xiong'an New Area Reform and Development Bureau, will launch the "Implementation Plan for the Deepening of the Pilot Work of Digital RMB in the Rongdong Area", to enhance public awareness. By combining blockchain with digital RMB, the "digital currency loan" product will be launched, with a payment amount of nearly 100 million yuan.

  • Rapper 50 Cent claims that his X account was hacked, and the hacker promoted cryptocurrency and defrauded about $300 million

    On June 22nd,famous rapper Curtis James Jackson III (stage name "50 Cent") claimed that his former Twitter account and website were hacked, resulting in hackers promoting a cryptocurrency scam and defrauding victims of $30 million.The hackers created a new cryptocurrency called "GUNIT" and used 50 Cent's large following (approximately 12.9 million fans) to attract more investors and drive up the price, then drained its value, causing the token price to plummet to $0.00016. On June 21st, 50 Cent posted on Instagram to his 32.8 million fans about the hack and admitted that a large amount of funds from victims had been lost from the project. "Twitter quickly locked my account. Whoever did this, got $30 million within 30 minutes," 50 Cent claimed, stating that he had no involvement with this cryptocurrency scam.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company
Cointime

Hot Coins

Trending