Hack Explained - Radiant Capital

Hack Explained - Radiant Capital


2 min read

Radiant Capital, a cross-chain lending protocol, recently experienced a significant security breach. As a platform that aims to unify fragmented liquidity across various lending protocols and chains in the decentralised finance (DeFi) space.

Behind the Breach

The hack on Radiant Capital was attributed to a vulnerability exploited in a time window when a new market is activated in their lending market, which is a fork of the popular Compound/Aave protocols. This vulnerability was specifically related to the newly created native USDC market on the Arbitrum network. The exploit involved manipulating a known rounding issue in the current Compound/Aave codebase, which was triggered just six seconds after the activation of the new market. The hacker, in a precisely timed attack, sniped the new USDC market deployment and exploited it immediately after activation.

The estimated total loss amounts to approximately $4.5 million across the below stolen assets:

  • 1,900 ETH - valued at around $4.5 million.

Lessons from the Incident

The Radiant Capital hack underscores the critical need for rigorous security measures in DeFi protocols, especially those involving complex mechanisms like cross-chain transactions and market activations. The root cause of the exploit was a combination of a timing vulnerability during market activation and a known rounding issue in the codebase. To mitigate such vulnerabilities, DeFi platforms should consider implementing more stringent security checks, especially during critical periods like market launches. Regular audits and updates to address known issues in forked protocols are also essential.

In response to the attack, Radiant Capital temporarily suspended its lending and borrowing markets on Arbitrum for further investigation. This swift action highlights the importance of quick response mechanisms to minimise the impact of such breaches. Additionally, educating users about potential risks and maintaining transparent communication during crises can help in maintaining trust in the DeFi ecosystem.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.