Cointime

Cointime

Download App
iOS & Android

Radiant Protocol on Arbitrum Suffers Flashloan Attack, Resulting in $4.5M Loss: In-Depth Analysis Reveals Exploit Details

From MetaTrust Labs by Daniel Tan

TL;DR

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

Radiant Protocol

Radiant is a decentralized, non-custodial lending protocol, on multiple chains, including Arbitrum, BNBChain, and Ethereum.

Radiant protocol’s total value locked still has $313M after the attack, due to their rapid pause of protocol after the attack, stopped the further loss.

Timeline

Transactions

0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d

0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

Asset Loss

3 attacking transactions resulted in a total loss of 1.9K $ETH, worth $4.5M. At the time of writing, the 1.9K $ETH is still held in the hacker’s wallet(0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).

Attacker

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Attacking Contract

0x39519c027b503f40867548fb0c890b11728faa8f

Victim Contract

Radiant: Lending Pool(0xf4b1486dd74d07706052a33d31d7c0aafd0659e1)

rUSDCn(0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55).

What Happened Before the Attack

15 seconds before the attack, a new native USDC market on Arbitrum was created by the client.

The hacker is the first one who interacts with the new USDC market.

Attacking Steps

Take the first attacking transaction, 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b, as an example.

  1. Borrow 3M $USDC from AAVE with the flashloan function;
  2. Deposit 2M $USDC into Radiant Pool, with liquidityIndex as 1e27

3. Do a $2M flashloan on Radiant Lending Pool, to inflate the liquidityIndex to 1.8e36.

4. Repeatedly execute step 3, 151 times, to inflate the liauidityIndex to 2.7e38, which is 270000000000 times of its initial value.

5. Borrow 90.6 $ETH, worth $215K, from Radiant Pool, which is the profit of this attack;

6. Create a new contract (0xd8b591);

7. Approve an unlimited allowance of USDC to the new contract, transfer 543K $USDC to the new contract, and execute the below steps with the new contract;

8. Deposit 543K $USDC to the Radiant pool, to mint 2 wei tokens because amountScaled is 2, 543600000002*1e27/271800000000999999999999998631966035920=2;

9. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1, 407700000000*1e27/271800000000999999999999998631966035920=1.5 and the mathematical rounding issue. Note that amountScaled is a uint256 type variable that will turn 1.5 into 1.

10. Deposit 271K $USDC to the Radiant pool, mint 1 wei token because the amountScaled as 1, 271800000001*1e27/271800000000999999999999998631966035920=1 ;

11. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1.

12. Repeat steps 10 and 11 as many as 18 times, and drain all the $USDC, which was deposited by the hacker before, from the new market.

13. Swap 2 $WETH for 4.73K $USDC, swap 3.23K $USDC for 1.36 $WETH.

14. Repay flashloan from AAVE with 3.5m $USDC as principal and 1.5K $USDC as a fee.

15. Get a profit of 90 $ETH.

Root Cause

The root causes are that the hacker is the first one who interacts with the newly created native USDC market, inflates liquidityIndex with the floanloan feature of Radiant protocol, and uses the mathematical rounding issue to steal collateral from the lending pool.

Key Code

About MetaTrust Labs

MetaTrust Labs is a leading provider of Web3 AI security tools and code auditing services incubated at Nanyang Technological University, Singapore. We provide advanced AI solutions that empower developers and project stakeholders to protect Web3 applications and smart contracts. At MetaTrust Labs, we are committed to protecting the Web3 space so that builders can innovate with confidence and reliability.

hacker Radiant Capital Vulnerability
Comments

All Comments

Recommended for you

  • Bank of Japan to Maintain Interest Rates in April

    On April 21, according to Nikkei News: The Bank of Japan will maintain interest rates unchanged in April.

  • Iranian Military: Ready to Respond Decisively to 'Enemy's Breach of Promises'

    On April 21, local time, Abdollahi, commander of the Khatam al-Anbiya Central Command of the Iranian Armed Forces, stated that Iran is prepared to respond decisively to the 'enemy's breach of promises.' Abdollahi emphasized that the current Iranian military possesses 'authority, readiness, and comprehensive strategic capabilities.' He noted that the Islamic Revolutionary Guard Corps and other defense forces have demonstrated combat capabilities in relevant operations, putting 'Israel and the United States in a difficult and fatigued position,' forcing them to 'seek a ceasefire.' Abdollahi also stressed that the Iranian armed forces maintain a high level of unity with the government and the people under the supreme leader's unified command, and will respond 'decisively, resolutely, and promptly' to any threats and actions. (CCTV News)

  • Another Iranian Oil Tanker Returns to Iran After Breaking US Blockade

    On April 21, according to CCTV News, maritime intelligence company 'TankerTrackers' reported that a tanker belonging to the National Iranian Tanker Company returned to Iran after unloading approximately 2 million barrels of crude oil in Indonesia, crossing the relevant maritime blockade line. The tanker is currently en route to Iran's main oil export hub, Khark Island, and is expected to arrive on April 22 local time. It is reported that the tanker set sail from Iran in late March, heading towards the Riau Islands of Indonesia.

  • White House: US and Iran on the Verge of Reaching an Agreement

    On April 21, White House Press Secretary Kayleigh McEnany stated in an interview with Fox News on the evening of the 20th that the United States and Iran are on the "verge of reaching an agreement." McEnany remarked, "The US has never been closer to achieving a truly good deal." However, she did not disclose any information regarding the current status of the negotiations. McEnany noted that even if an agreement is not reached, President Trump has multiple options and is not afraid to utilize these measures. Previous actions have demonstrated that Trump is not just "bluffing."

  • cointime子凡 ·

    Bitcoin: The New King of Safe-Haven Assets, A New Choice for Robust Portfolio Allocation

    Bitcoin: The New King of Safe-Haven Assets, A New Choice for Robust Portfolio Allocation

  • Kelp DAO Attacker Transfers 30,800 ETH to Special Address

    On April 21, news emerged that, according to monitoring by PeckShield, the Kelp DAO attacker transferred 30,800 ETH to a special address starting with 0x00000, possibly indicating a destruction action.

  • Trump: 'Midnight Hammer' Completely Dismantled Iran's Nuclear Dust Base

    On April 21, U.S. President Trump stated that the 'Midnight Hammer' operation has completely destroyed the 'nuclear dust' base within Iran. As a result, the cleanup will be a long and arduous process. The fake news media, including CNN and other corrupt media networks and platforms, have failed to give our great pilots the credit they deserve, instead always attempting to belittle and undermine them. They are losers!!! (Dongxin News Agency)

  • BTC Drops Below $76,000

    Market data shows that BTC has dropped below $76,000, currently priced at $75,999.63, with a 24-hour increase of 1.68%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Japan Officially Allows Export of Lethal Weapons Through Cabinet Resolution

    On April 21, according to Kyodo News, the Japanese government officially revised the 'Three Principles on Transfer of Defense Equipment' and its operational guidelines during a cabinet meeting, which will, in principle, allow the export of lethal weapons. (Xinhua News Agency)

  • Trump Claims Iran Will Negotiate

    On April 21, during a phone interview with CNN, U.S. President Trump stated that Iran "will negotiate" and expressed confidence in potential talks set to take place in Pakistan. Trump remarked, "They will negotiate; if they don't, they will face unprecedented problems." He also expressed hope that both sides could reach a "fair agreement" and emphasized that Iran "will not have nuclear weapons." Additionally, he defended military actions against Iran by stating there was "no choice" and claimed that they would ultimately "wrap things up."

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company