On January 3, the Radiant Capital project suffered a severe flash loan attack, resulting in the loss of 1,900 ETH (approximately $4.5 million). Radiant Capital is a decentralized cross-chain lending protocol that allows users to deposit and lend various assets on different blockchains, eliminating liquidity silos.

According to on-chain data, the hacker took advantage of a time window for new market activation and a rounding issue in the Compound/Aave code base to execute a flash loan attack. This attack method refers to borrowing a large amount of funds, completing a series of operations within a block, and then returning the funds before the end of the block to make a profit.

Vulnerability attack summary

According to reports from PeckShield and PeckShield, attackers exploited a computing vulnerability in Radiant Capital, allowing them to withdraw large amounts of USDC at low prices by controlling precision and rounding. USDC is a stable currency whose value is pegged to the U.S. dollar and is one of the assets commonly used in decentralized financial protocols.

The attacker's attack process is as follows:

1. The attacker first borrowed 3 million USDC through AAVE flash loan to start the attack. Flash loan refers to borrowing a large amount of funds, completing a series of operations within a block, and then returning the funds before the end of the block to make a profit.

2. The attacker pledged 2 million USDC to the Radiant contract and obtained 2 million rUSDCn certificate tokens.

3. The attacker performs a flash loan through the Radiant contract, borrows 2 million USDC, returns the 2 million USDC in the callback function, and extracts the USDC pledged in the second step. Finally, the flash loan function will call the transferfrom function with interest. Transfer the attacker's USDC into the contract. At this time, a handling fee of 9/10000 will be charged, and the handling fee collected becomes the liquidity of the pool.

4. By repeating step 3 many times, the attacker controls the liquidityIndex to be very large, liquidityIndex=271800000000999999999999998631966035920. LiquidityIndex is a variable used in the Radiant contract to record the growth of liquidity. It will increase with the accumulation of time and interest.

5. Next, the attacker creates a new contract and puts 543,600 USDC into it, because 5436 (USDC value) is exactly twice the 2718 (liquidityIndex value) in step 4, which can facilitate rounding control.

6. The attacker mortgaged all 543,600 USDC into the Radiant contract and obtained the same amount of rUSDCn.

7. The attacker extracted 407,700 USDC, which should have destroyed 407,700 rUSDCn, but as mentioned above, the burn function performed precision expansion and rounding calculations. 40770000000000000000000000000000000000/271800000000999999999999998631966035920=1.49999999, and the rounding result is 1, causing the result to be 1/3 smaller. As shown in the picture below, 407,700 USDC should have been destroyed, but 271,800 were left, indicating that only 271,800 were destroyed, and the attacker withdrew 407,700 USDC.

8. The attacker exploited the loophole in step 7 and repeated the pledge withdrawal operation, and the withdrawal amount was always 1/3 more than the pledged amount, eventually exchanging all the USDC in the pool.

Funds are not currently at risk

Radiant Capital acknowledged the issue in its official post and said it had suspended its lending market on Arbitrum and was investigating the cause and impact of the incident. Arbitrum is a second-layer scaling solution that increases transaction speed and reduces costs on Ethereum. Radiant Capital also stated that no user funds are currently at risk and plans to issue a detection report and resume operations after the problem is resolved.

Conclusion:

This incident once again reminds us that the security of decentralized finance protocols is critical and needs to be continuously audited and tested to prevent potential vulnerabilities and attacks. Users should also be aware of risks and only participate in lending and investing on trusted platforms. Although Radiant Capital suffered heavy losses, it also showed a positive attitude and sense of responsibility, hoping that it can recover and improve the security and stability of its protocol as soon as possible. At the same time, I also hope that other decentralized financial protocols can learn from this incident, strengthen their own security precautions, and provide users with better services and experiences. #RadiantCapital #黑客攻击