Cointime

Cointime

Download App
iOS & Android

Radiant Protocol on Arbitrum Suffers Flashloan Attack, Resulting in $4.5M Loss: In-Depth Analysis Reveals Exploit Details

From MetaTrust Labs by Daniel Tan

TL;DR

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

Radiant Protocol

Radiant is a decentralized, non-custodial lending protocol, on multiple chains, including Arbitrum, BNBChain, and Ethereum.

Radiant protocol’s total value locked still has $313M after the attack, due to their rapid pause of protocol after the attack, stopped the further loss.

Timeline

Transactions

0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d

0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

Asset Loss

3 attacking transactions resulted in a total loss of 1.9K $ETH, worth $4.5M. At the time of writing, the 1.9K $ETH is still held in the hacker’s wallet(0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).

Attacker

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Attacking Contract

0x39519c027b503f40867548fb0c890b11728faa8f

Victim Contract

Radiant: Lending Pool(0xf4b1486dd74d07706052a33d31d7c0aafd0659e1)

rUSDCn(0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55).

What Happened Before the Attack

15 seconds before the attack, a new native USDC market on Arbitrum was created by the client.

The hacker is the first one who interacts with the new USDC market.

Attacking Steps

Take the first attacking transaction, 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b, as an example.

  1. Borrow 3M $USDC from AAVE with the flashloan function;
  2. Deposit 2M $USDC into Radiant Pool, with liquidityIndex as 1e27

3. Do a $2M flashloan on Radiant Lending Pool, to inflate the liquidityIndex to 1.8e36.

4. Repeatedly execute step 3, 151 times, to inflate the liauidityIndex to 2.7e38, which is 270000000000 times of its initial value.

5. Borrow 90.6 $ETH, worth $215K, from Radiant Pool, which is the profit of this attack;

6. Create a new contract (0xd8b591);

7. Approve an unlimited allowance of USDC to the new contract, transfer 543K $USDC to the new contract, and execute the below steps with the new contract;

8. Deposit 543K $USDC to the Radiant pool, to mint 2 wei tokens because amountScaled is 2, 543600000002*1e27/271800000000999999999999998631966035920=2;

9. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1, 407700000000*1e27/271800000000999999999999998631966035920=1.5 and the mathematical rounding issue. Note that amountScaled is a uint256 type variable that will turn 1.5 into 1.

10. Deposit 271K $USDC to the Radiant pool, mint 1 wei token because the amountScaled as 1, 271800000001*1e27/271800000000999999999999998631966035920=1 ;

11. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1.

12. Repeat steps 10 and 11 as many as 18 times, and drain all the $USDC, which was deposited by the hacker before, from the new market.

13. Swap 2 $WETH for 4.73K $USDC, swap 3.23K $USDC for 1.36 $WETH.

14. Repay flashloan from AAVE with 3.5m $USDC as principal and 1.5K $USDC as a fee.

15. Get a profit of 90 $ETH.

Root Cause

The root causes are that the hacker is the first one who interacts with the newly created native USDC market, inflates liquidityIndex with the floanloan feature of Radiant protocol, and uses the mathematical rounding issue to steal collateral from the lending pool.

Key Code

About MetaTrust Labs

MetaTrust Labs is a leading provider of Web3 AI security tools and code auditing services incubated at Nanyang Technological University, Singapore. We provide advanced AI solutions that empower developers and project stakeholders to protect Web3 applications and smart contracts. At MetaTrust Labs, we are committed to protecting the Web3 space so that builders can innovate with confidence and reliability.

hacker Radiant Capital Vulnerability
Comments

All Comments

Recommended for you

  • cointelegraph ·

    Musk says he found ‘magic money computers’ printing money ‘out of thin air’

    Responding to Musk’s claim, Jameson Lopp, the chief security officer at Bitcoin custody company Casa, simply said: “Bitcoin fixes this.”

    Musk says he found ‘magic money computers’ printing money ‘out of thin air’
  • cointelegraph ·

    Congress repealed the IRS broker rule, but can it regulate DeFi?

    DeFi has scored a victory in Congress, but how can lawmakers match real regulatory concerns with user privacy demands?

    Congress repealed the IRS broker rule, but can it regulate DeFi?

  • Multi-engine Web3 gaming platform PlaysOut completes $700 million seed round of financing, led by Kenetic Capital

    the multi-engine Web3 gaming platform PlaysOut has announced the completion of a $7 million seed round of financing, led by Kenetic Capital, KBW Ventures, Gam3Girl Ventures, Oak Grove Ventures, Aptos, Yugana Labs, Sentor Investments, and Longling Capital, with a valuation of $70 million. The new funds are intended to drive its efforts to bridge the gap between Web2 and Web3, enabling developers to unlock monetization models by building assets on-chain and exploring token-based incentives, NFT integration, and blockchain-driven economies.

  • Trump family crypto project WLFI added 103,911 AVAX and 2.45 million MNT 2 hours ago

    according to on-chain analyst Yu Jin's monitoring, the DeFi project WLFI supported by the Trump family added purchases of AVAX and MNT 2 hours ago:

  • RedotPay Completes $40 Million Series A Funding, Led by Lightspeed

    On March 14th, according to an official announcement from RedotPay, it has completed a $40 million Series A financing round, led by Lightspeed with participation from HSG, Galaxy Ventures, DST Global Partners, Accel, Vertex Ventures, and others. This round of financing will be used to accelerate the expansion of global encrypted payment solutions.

  • Surveillance technology company Flock Safety receives $275 million in funding led by A16z

    Flock Safety, a surveillance technology company based in Atlanta, has completed a $275 million financing round led by Andreessen Horowitz (A16z), with a company valuation reaching $7.5 billion. Other participants in this round of investment include Greenoaks Capital and Bedrock Capital.

  • Trump's crypto project WLFI has completed its public offering, with a total financing amount of US$550 million

    according to the official website, the Trump family's encrypted project World Liberty Financial has completed all community public offering financing (previously added an additional round), with a total financing amount of $550 million.

  • nunu.ai Completes $6 Million Seed Round, Led by TIRTA Ventures and a16z Speedrun

    according to official news from nunu.ai, the company has completed a $6 million seed round of financing, led by TIRTA Ventures and a16z speedrun, with other investors including Factorial Funds, Y Combinator, Earthling, Hartmann Capital, FOV Ventures, and New Renaissance Ventures.

  • South Korea plans to issue new guidelines in Q3 to lift ban on institutional cryptocurrency investments

    South Korean financial regulatory agency announced on Wednesday that it plans to release comprehensive guidelines for institutional cryptocurrency investments in the third quarter. The Financial Services Commission made this announcement during a meeting with local cryptocurrency industry experts. While investment guidelines for listed companies and professional investors are expected to be introduced in the third quarter, the Financial Services Commission stated that its goal is to release investment guidelines for non-profit organizations and cryptocurrency exchanges in April. The Financial Services Commission first announced in January that it would gradually lift the ban on institutional investors investing in cryptocurrencies. Last month, the regulatory agency revealed that it intends to first allow charities and universities to sell their cryptocurrency assets in the second quarter. The upcoming detailed guidelines further solidify South Korea's shift in stance towards cryptocurrencies, no longer strictly opposing the entry of crypto assets into traditional financial markets.

  • Rapper 50 Cent claims that his X account was hacked, and the hacker promoted cryptocurrency and defrauded about $300 million

    On June 22nd,famous rapper Curtis James Jackson III (stage name "50 Cent") claimed that his former Twitter account and website were hacked, resulting in hackers promoting a cryptocurrency scam and defrauding victims of $30 million.The hackers created a new cryptocurrency called "GUNIT" and used 50 Cent's large following (approximately 12.9 million fans) to attract more investors and drive up the price, then drained its value, causing the token price to plummet to $0.00016. On June 21st, 50 Cent posted on Instagram to his 32.8 million fans about the hack and admitted that a large amount of funds from victims had been lost from the project. "Twitter quickly locked my account. Whoever did this, got $30 million within 30 minutes," 50 Cent claimed, stating that he had no involvement with this cryptocurrency scam.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company