Radiant Capitale Suffers $4.6 Million Loss

January 2, 2024

Summary #

On January 2, 2024, Radiant Capital on the Arbitrum Chain suffered a $4.6 million loss from a sophisticated exploit, involving 1902 ETH, due to a smart contract vulnerability. The attack was orchestrated by utilizing flash loans to inflate the USDC reserve liquidity index on the platform artificially. This enabled the attacker to borrow excessive WETH against the artificially high collateral value. The situation was exacerbated by a rounding error within the contract’s calculations, allowing the attacker to manipulate deposit and withdrawal transactions cleverly. By exploiting the inflated collateral and the rounding discrepancy through calculated deposits, withdrawals, and borrowing, the attacker was able to extract substantial funds.

Attackers #

The identity of the attacker is unknown. The following address is associated with this attack:

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Losses #

The loss amounted to 1902 ETH worth $4.6 million.

Timeline #

January 2, 2024, 06:53 PM UTC: The first malicious transaction occurred.
January 3, 2024, 12:14 AM UTC: Radiant Protocol reported the exploit and suspended work on Arbitrum.
January 5, 2024, 02:50 AM UTC: Radiant Protocol announced a reward for assistance in investigating the incident.
January 5, 2024, 12:07 AM UTC: Lending and loan markets on Arbitrum have been resumed.
January 12, 2024: A detailed analysis of the exploit has been published.

Security Failure Causes #

Smart Contract Vulnerability: The exploit was enabled by leveraging flash loans for price manipulation and exploiting a rounding error in the smart contract, which allowed the attacker to increase the profit margin.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam