Cointime

Cointime

Download App
iOS & Android

Radiant Protocol on Arbitrum Suffers Flashloan Attack, Resulting in $4.5M Loss: In-Depth Analysis Reveals Exploit Details

From MetaTrust Labs by Daniel Tan

TL;DR

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

On Jan-03–2024 UTC+8:00, the Radiant protocol on Arbitrum was under the flashloan attack. The hacker attacked the #Radiant protocol 3 times, resulting in a total loss of 1.9K $ETH(worth $4.5m). The root cause is the mathematical rounding issue in the `burn` function that is amplified and used, on a new $USDC market, which makes the hacker withdraw an extra $USDC.

MetaTrust Labs conducted in-depth research and analysis on the exploit, revealing how the hacker exploits vulnerability.

Radiant Protocol

Radiant is a decentralized, non-custodial lending protocol, on multiple chains, including Arbitrum, BNBChain, and Ethereum.

Radiant protocol’s total value locked still has $313M after the attack, due to their rapid pause of protocol after the attack, stopped the further loss.

Timeline

Transactions

0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d

0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

Asset Loss

3 attacking transactions resulted in a total loss of 1.9K $ETH, worth $4.5M. At the time of writing, the 1.9K $ETH is still held in the hacker’s wallet(0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).

Attacker

0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Attacking Contract

0x39519c027b503f40867548fb0c890b11728faa8f

Victim Contract

Radiant: Lending Pool(0xf4b1486dd74d07706052a33d31d7c0aafd0659e1)

rUSDCn(0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55).

What Happened Before the Attack

15 seconds before the attack, a new native USDC market on Arbitrum was created by the client.

The hacker is the first one who interacts with the new USDC market.

Attacking Steps

Take the first attacking transaction, 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b, as an example.

  1. Borrow 3M $USDC from AAVE with the flashloan function;
  2. Deposit 2M $USDC into Radiant Pool, with liquidityIndex as 1e27

3. Do a $2M flashloan on Radiant Lending Pool, to inflate the liquidityIndex to 1.8e36.

4. Repeatedly execute step 3, 151 times, to inflate the liauidityIndex to 2.7e38, which is 270000000000 times of its initial value.

5. Borrow 90.6 $ETH, worth $215K, from Radiant Pool, which is the profit of this attack;

6. Create a new contract (0xd8b591);

7. Approve an unlimited allowance of USDC to the new contract, transfer 543K $USDC to the new contract, and execute the below steps with the new contract;

8. Deposit 543K $USDC to the Radiant pool, to mint 2 wei tokens because amountScaled is 2, 543600000002*1e27/271800000000999999999999998631966035920=2;

9. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1, 407700000000*1e27/271800000000999999999999998631966035920=1.5 and the mathematical rounding issue. Note that amountScaled is a uint256 type variable that will turn 1.5 into 1.

10. Deposit 271K $USDC to the Radiant pool, mint 1 wei token because the amountScaled as 1, 271800000001*1e27/271800000000999999999999998631966035920=1 ;

11. Withdraw 407K $USDC from the Radiant pool, only burn 1 wei token because amountScaled is 1.

12. Repeat steps 10 and 11 as many as 18 times, and drain all the $USDC, which was deposited by the hacker before, from the new market.

13. Swap 2 $WETH for 4.73K $USDC, swap 3.23K $USDC for 1.36 $WETH.

14. Repay flashloan from AAVE with 3.5m $USDC as principal and 1.5K $USDC as a fee.

15. Get a profit of 90 $ETH.

Root Cause

The root causes are that the hacker is the first one who interacts with the newly created native USDC market, inflates liquidityIndex with the floanloan feature of Radiant protocol, and uses the mathematical rounding issue to steal collateral from the lending pool.

Key Code

About MetaTrust Labs

MetaTrust Labs is a leading provider of Web3 AI security tools and code auditing services incubated at Nanyang Technological University, Singapore. We provide advanced AI solutions that empower developers and project stakeholders to protect Web3 applications and smart contracts. At MetaTrust Labs, we are committed to protecting the Web3 space so that builders can innovate with confidence and reliability.

hacker Radiant Capital Vulnerability
Comments

All Comments

Recommended for you

  • BTC breaks through $92,000

     the market shows BTC breaking through $92,000, currently at $92,023.91, with a 24-hour decline of 0.13%. The market is highly volatile, please manage your risk accordingly.

  • WLFI launches lending marketplace powered by Dolomite

     WLFI launches a lending market supported by Dolomite.

  • Spot gold rose more than $300 in January.

     spot gold has risen above $4620/oz, with a daily increase of 2.44%, accumulating a rise of over $300 in the first month of the new year.

  • Hassett: Still interested in a Fed position

    White House National Economic Council Director Hassett: Still interested in the Federal Reserve position. It is unknown whether U.S. President Trump has approved an investigation into the Federal Reserve. Federal Reserve Chairman Powell is a good person.

  • BTC falls below $91,000

     the market shows BTC fell below $91,000, currently at $90,997.44, with a 24-hour increase of 0.26%. The market is highly volatile, please manage your risks accordingly.

  • The US spot Ethereum ETF saw a net outflow of $68.57 million last week.

    according to SoSoValue data, during the trading days last week (January 5 to January 9, Eastern US time), the US spot Ethereum ETF had a net outflow of 68.57 million USD.

  • BTC breaks through $92,000

    the market shows BTC breaking through $92,000, currently at $92,041.92, with a 24-hour increase of 1.49%. The market is volatile, please manage your risk accordingly.

  • Japanese Prime Minister considers dissolving the House of Representatives; USD/JPY rises sharply.

    Japanese Prime Minister is considering dissolving the House of Representatives. The USD/JPY exchange rate quickly rose by 0.66% to 157.95, hitting a new one-year high. 

  • a16z announced the completion of a $15 billion funding round, which will focus on investments in AI and crypto.

    a16z has just completed raising over $15 billion in funds. This batch of funds includes: American Dynamism Fund ($1.176 billion), Apps Fund ($1.7 billion), Bio + Health Fund ($700 million), Infrastructure Fund ($1.7 billion), Growth Fund ($6.75 billion), and other venture capital strategy funds ($3 billion). The announcement states that its mission is to ensure the United States wins the technology competition in the next 100 years, focusing on winning key infrastructures such as AI and crypto. In addition, it will promote the application of related technologies in fields such as biology, health, defense, public safety, education, and entertainment.

  • BTC falls below $90,000

     market shows BTC fell below 90,000 USD, currently at 89,996.08 USD, 24-hour decline reached 0.43%, market volatility is high, please manage risk properly.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company