Cross-chain lending protocol Radiant Capital has halted its lending market on Arbitrum after discovering a potential vulnerability that led to an attack resulting in a loss of $4.5 million. In a January 3 Twitter post, Radiant confirmed reports of an issue with its newly created native USDC market on Arbitrum, acknowledging that it fell victim to a "flash loan-based exploitation."
In response to the attack, the Radiant DAO Board took immediate action, instituting emergency administrative controls by suspending all markets on Arbitrum to prevent further damage. Blockchain security firm Beosin detailed the attack, identifying it as a flash loan exploit that leveraged a "rounding issue" within the codebase, leading to cumulative precision errors. This flaw allowed the attacker to capitalize on repeated Deposit() and Pull() operations.
PeckShield's analysis on January 2 also highlighted the flaw as stemming from a "known rounding issue" present in the Compound/Aave codebase, upon which the lending market was built. It explained that the attack exploited the window of time during the activation of a new market in the lending system.
The attackers successfully siphoned off $4.5 million worth of Ethereum, as reported by data sourced from the Arbitrum block explorer Arbiscanner. In response to the security breach, Radiant swiftly suspended its lending market on Arbitrum, reassuring investors that no further funds were presently at risk. The platform pledged a comprehensive post-mortem investigation into the incident and vowed to resume normal operations once the investigation was concluded.
Radiant Capital functions as a decentralized lending protocol, incorporating cross-chain functionalities through LayerZero technology. As per DefiLlama, the protocol currently locks in a total value of approximately $315 million. Despite the setback, Radiant remains committed to addressing the security breach and ensuring the safety and integrity of its platform before resuming operations.
