Radiant Capital, a cross-chain lending protocol, has temporarily halted lending and borrowing markets on Arbitrum after falling victim to a multimillion-dollar exploit on one of its new USD Coin (USDC) markets. Security reports revealed that the protocol was targeted in a flash loan attack, exploiting a time window during the activation of a new market and leveraging a known rounding issue in the current Compound/Aave codebase.
The attacker manipulated the index parameter, causing a cumulative precision error, resulting in a loss of 1,900 Ethereum, equivalent to approximately $4.5 million. Radiant Capital acknowledged the issue, stating that “no current funds” were at risk and promised a detailed postmortem once the problem was resolved.
The flash loan attack on Radiant Capital was quickly reported by multiple blockchain security firms, including PeckShield, which highlighted that the root cause was not new but exploited vulnerabilities in the market activation process. Beosin, another security firm, detailed how the attacker manipulated the index parameter to become extremely large, leading to a cumulative precision error that enabled them to profit through repeated deposit() and withdraw() operations. Radiant Capital later confirmed the attack and assured users that their current funds were not in jeopardy. The protocol plans to release a comprehensive postmortem once the issue is resolved, and markets on Arbitrum are unpaused.
This incident raises concerns about the security of DeFi protocols and the potential risks associated with flash loan attacks. Radiant Capital’s decision to temporarily suspend markets on Arbitrum reflects the seriousness of the exploit and the need for thorough investigations to prevent further vulnerabilities. The exploit not only resulted in a significant financial loss for the protocol but also highlights the challenges faced by decentralized financial platforms in ensuring robust security measures against sophisticated attacks.
