Radiant Capital suspends DeFi lending on Arbitrum after $4.5 million ETH exploit
Blockchain security firms, including CertiK, stated that Radiant Capital suffered a flashloan attack.
Decentralized finance (DeFi) lending protocol Radiant Capital temporarily paused its operations on the Ethereum layer2 network Arbitrum after it was exploited for 1,900 ETH, or $4.5 million.
In a Jan. 3 post on social media platform X (formerly Twitter), the cross-chain lending protocol confirmed that it received a report of an issue with its newly created native USDC market on Arbitrum.
“After validation by Radiant developers and the wider Web 3 security community, the Radiant DAO Council paused lending/borrowing markets on Arbitrum temporarily while this is investigated further,” it added.
The platform did not provide additional information about the cause of the issues.
However, several blockchain security firms, including CertiK, stated that the protocol experienced a flash loan attack, allowing the attacker to “inflate the liquidity index and then exploit the rounding issue in `rayDiv()` during deposit() and withdraw() to drain the lending pools.”
Beosin Alert further explained that the Radiant USDC contract has a rounding issue in its calculation, leading to the error. As such, the attacker manipulated the index parameter to a higher volume.
“The attacker manipulated the index parameter (which later served as a denominator) to become extremely large. The contract has a rounding issue in its calculations, which led to a cumulative precision error. Since the index parameter was dramatically inflated, this precision error was also magnified, ultimately allowing the attacker to profit through repeated deposit() and withdraw() operations,” Beosin Alert wrote.
Social media platform X has been inundated with fake Radiant Capital accounts posting phishing links to help users revoke approvals. However, the official account for the protocol already urged the community to verify information from official channels and warned that “many imitation accounts will likely spread misinformation or fake links.”
Meanwhile, the event did not drastically impact the total value of assets locked on the protocol, which currently sits at around $315 million as of press time, according to DeFillama data.