Cointime

Cointime

Download App
iOS & Android

Radiant Protocol on Arbitrum Suffers Flashloan Attack, Resulting in $4.5M Loss: In-Depth Analysis Reveals Exploit Details

From MetaTrust Labs by Daniel Tan

TL;DR

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

Radiant Protocol

Radiant is a decentralized, non-custodial lending protocol, on multiple chains, including Arbitrum, BNBChain, and Ethereum.

Radiant protocol’s total value locked still has $313M after the attack, due to their rapid pause of protocol after the attack, stopped the further loss.

Timeline

Transactions

0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d

0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

Asset Loss

3 attacking transactions resulted in a total loss of 1.9K $ETH, worth $4.5M. At the time of writing, the 1.9K $ETH is still held in the hacker’s wallet(0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).

Attacker

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Attacking Contract

0x39519c027b503f40867548fb0c890b11728faa8f

Victim Contract

Radiant: Lending Pool(0xf4b1486dd74d07706052a33d31d7c0aafd0659e1)

rUSDCn(0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55).

What Happened Before the Attack

15 seconds before the attack, a new native USDC market on Arbitrum was created by the client.

The hacker is the first one who interacts with the new USDC market.

Attacking Steps

Take the first attacking transaction, 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b, as an example.

  1. Borrow 3M $USDC from AAVE with the flashloan function;
  2. Deposit 2M $USDC into Radiant Pool, with liquidityIndex as 1e27

3. Do a $2M flashloan on Radiant Lending Pool, to inflate the liquidityIndex to 1.8e36.

4. Repeatedly execute step 3, 151 times, to inflate the liauidityIndex to 2.7e38, which is 270000000000 times of its initial value.

5. Borrow 90.6 $ETH, worth $215K, from Radiant Pool, which is the profit of this attack;

6. Create a new contract (0xd8b591);

7. Approve an unlimited allowance of USDC to the new contract, transfer 543K $USDC to the new contract, and execute the below steps with the new contract;

8. Deposit 543K $USDC to the Radiant pool, to mint 2 wei tokens because amountScaled is 2, 543600000002*1e27/271800000000999999999999998631966035920=2;

9. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1, 407700000000*1e27/271800000000999999999999998631966035920=1.5 and the mathematical rounding issue. Note that amountScaled is a uint256 type variable that will turn 1.5 into 1.

10. Deposit 271K $USDC to the Radiant pool, mint 1 wei token because the amountScaled as 1, 271800000001*1e27/271800000000999999999999998631966035920=1 ;

11. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1.

12. Repeat steps 10 and 11 as many as 18 times, and drain all the $USDC, which was deposited by the hacker before, from the new market.

13. Swap 2 $WETH for 4.73K $USDC, swap 3.23K $USDC for 1.36 $WETH.

14. Repay flashloan from AAVE with 3.5m $USDC as principal and 1.5K $USDC as a fee.

15. Get a profit of 90 $ETH.

Root Cause

The root causes are that the hacker is the first one who interacts with the newly created native USDC market, inflates liquidityIndex with the floanloan feature of Radiant protocol, and uses the mathematical rounding issue to steal collateral from the lending pool.

Key Code

About MetaTrust Labs

MetaTrust Labs is a leading provider of Web3 AI security tools and code auditing services incubated at Nanyang Technological University, Singapore. We provide advanced AI solutions that empower developers and project stakeholders to protect Web3 applications and smart contracts. At MetaTrust Labs, we are committed to protecting the Web3 space so that builders can innovate with confidence and reliability.

hacker Radiant Capital Vulnerability
Comments

All Comments

Recommended for you

  • Central Bank's Open Market Operations Net Withdrawal of 243 Billion Yuan Today

    On May 25, the People's Bank of China conducted a 258 billion yuan 7-day reverse repo operation today, with a bidding amount of 258 billion yuan and a winning amount of 258 billion yuan, at an operation rate of 1.40%, unchanged from before. Due to the maturity of 500 billion yuan in 1-year Medium-term Lending Facility (MLF) and 10 billion yuan in 7-day reverse repos today, there was a net withdrawal of 243 billion yuan.

  • Nikkei 225 Index Surpasses 65,000 Points

    On May 25, the Nikkei 225 index surpassed 65,000 points, setting a new historical high with an intraday increase of 2.64%.

  • Nikkei 225 Index Surpasses 64,000 Points, Sets Historical Record

    The Nikkei 225 Index has surpassed 64,000 points for the first time, setting a historical record, with an intraday increase of over 1%.

  • BTC Surpasses $77,000

    Market data shows that BTC has surpassed $77,000, currently priced at $77,012.01, with a 24-hour increase of 0.43%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Iranian Official: Management of the Strait of Hormuz Will Not Return to Pre-War Status

    On May 25, local time May 24, Rezaei, spokesperson for Iran's National Security and Foreign Policy Committee, stated that the management of the Strait of Hormuz will not return to its pre-war status. He also mentioned that the strait is currently under Iranian control, and after the end of the state of war, Iran can facilitate the passage of vessels. Rezaei further stated that Iran has not negotiated with the United States regarding its enriched uranium stockpile and will never back down from its current position; the U.S. has no choice but to accept Iran's conditions.

  • Trump: US-Iran Agreement 'Not Fully Negotiated Yet'

    On May 25, U.S. President Trump stated on the 24th that the agreement between the United States and Iran is 'not fully negotiated yet,' accusing some uninformed individuals of 'unfounded criticism.' Trump posted on social media, saying, 'If I reach an agreement with Iran, it will be a good and appropriate agreement.' 'No one has seen it or knows its contents. It is not fully negotiated yet. So don't listen to those losers who criticize something they don't understand at all.' According to U.S. media reports, although the draft of the agreement has not been made public, some individuals in the U.S. have criticized it fiercely, claiming it actually undermines the goals set by the Trump administration. White House officials told the media that it will take 'a few more days' to finalize the agreement between the U.S. and Iran. (Xinhua News Agency)

  • Vitalik: Ethereum Foundation is Not the Central Manager of the ETH Ecosystem, Future Development Will Shift to 'Small and Long-term' Approach

    On May 25, Ethereum founder Vitalik shared his views on the future development direction of the Ethereum Foundation in a post on the X platform. He emphasized that this is just his personal opinion. The board does not consist solely of him, and he does not have more special powers than other board members. Aya Miyaguchi is leading most of the execution work for this transformation, while his own involvement is more focused on technical issues. The board is currently expanding, and his influence within the organization will continue to decline in the future, which, frankly, is what he hopes to see. By 2025, the Ethereum Foundation has made significant improvements in its execution capabilities. Many issues have been resolved, and the foundation continues to benefit from greater efficiency and a stronger focus on specific goals. However, as these issues were addressed, he began to care more about another concern: he often sees people saying, 'Vitalik has always talked about Ethereum needing to be decentralized, having privacy, and becoming a shelter technology, but why do the actions of the Ethereum Foundation not reflect these ideals?' Of course, there are those who hold completely different views. Some do not feel there is a crisis at all, but rather believe that the Ethereum Foundation has finally begun to take execution and business development seriously, and the next focus should be to continue along this path faster and stronger. Vitalik believes that this difference essentially reflects varying sensitivities to different types of criticism, and he is more easily hurt by criticisms regarding deviations from values. Vitalik stated that the Ethereum Foundation should not be 'the center of Ethereum,' but rather 'a node with clear responsibilities, existing alongside other nodes.' In the past, they have always said this, but many people in the ecosystem, including some within the foundation, hoped the foundation would become a true center. Now, they are taking concrete actions to ensure the foundation becomes the latter. This is particularly important because the Ethereum Foundation is essentially a resource-limited and organizationally limited entity. The foundation currently holds only about 0.16% of all ETH, which is even lower than many large ETH holders; whereas many other blockchain projects' 'central foundations' typically control 10%-50% of their tokens. The current Ethereum Foundation has decided to use its remaining resources to pursue 'long-term viability' rather than continuous expansion (which also means they will sell less ETH). The foundation will focus on those things that are crucial for Ethereum to become a censorship-resistant, control-resistant, open, private, and secure system, but that no one else would do if the foundation does not. This means they must make difficult choices. Some projects and individuals they highly respect may no longer belong to the foundation's system in the future. In fact, if they want important tasks to attract external capital, it may be necessary to keep some talented individuals, influential public figures, and those who share the mission and CROPS philosophy outside the foundation. This also means that the Ethereum Foundation will take a clearer and more principled stance on a cultural level.

  • ETH Surpasses $2100

    Market data shows that ETH has surpassed $2100, currently priced at $2101.04, with a 24-hour increase of 1.9%. The market is experiencing significant volatility, so please ensure proper risk management.

  • U.S. Officials: Agreement with Iran Expected Not to Be Signed on Sunday, Some Issues Remain

    On May 24, Axios reported, citing a U.S. official, that Iran's Supreme Leader has approved the overall framework of the agreement. There are some important statements for us and some significant wording for Iran. It is expected that the agreement with Iran will not be signed on Sunday, as there are still some issues that need to be resolved. The current status of the Iranian regime is progressing slowly, and completing the necessary approvals will take a few days.

  • ETH Falls Below $2100

    Market data shows that ETH has fallen below $2100, currently priced at $2096.81, with a 24-hour increase of 2.47%. The market is experiencing significant volatility, so please ensure proper risk management.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company