
Over 1,900 ETH Stolen: How Hackers Breached Radiant Capital and Pilfered $4.5 Million
TechFlow Selected TechFlow Selected

Over 1,900 ETH Stolen: How Hackers Breached Radiant Capital and Pilfered $4.5 Million
On January 3, 2024, the Radiant Capital project suffered a flash loan attack, during which the attacker stole over 1,900 ETH through three transactions, worth more than $4.5 million. The stolen funds remain in the attacker's address.
Author: Beosin
On January 3, 2024, according to monitoring by EagleEye, Beosin's security risk monitoring, early warning, and blocking platform, the Radiant Capital project suffered a flash loan attack. Through three transactions, the attacker stole over 1,900 ETH worth more than $4.5 million. The stolen funds remain in the attacker’s address. Beosin’s security team immediately analyzed the incident.
Vulnerability Analysis
The root cause of this incident lies in Radiant Capital’s method of calculating token amounts—specifically, the use of precision scaling combined with rounding operations. This allowed the attacker to manipulate precision values and exploit rounding to amplify profit margins.

Examining the code above, the rayDiv function takes two uint256 values, a and b. The entire operation can be simplified as (a*RAY + b/2)/b, where RAY is the precision scaling factor set at 10^27. This is equivalent to a*RAY/b + 0.5, achieving a rounding effect. The primary source of error comes from b: if b is extremely small relative to a, the error is negligible; however, if b is on a similar scale to a, the error could approach the magnitude of a itself.
For example: if a*RAY = 10,000 and b = 3, the result is 3,333—a deviation of 1/10,000 from the actual value. But if a*RAY = 10,000 and b = 3,000, the result becomes 3—off by 1/10 from the true value.
In this incident, the attacker manipulated b so that it was on the same order of magnitude as a, causing the calculation to effectively round 3/2.0001 down to 1—underestimating the true value by one-third.
Attack Process
Let’s examine the attacker’s steps:
1. The attacker first borrowed 3 million USDC via Aave’s flash loan feature, using it as initial capital for the attack.

2. The attacker deposited 2 million USDC into the Radiant contract and received 2 million rUSDCn tokens in return.

3. The attacker initiated a flash loan of 2 million USDC through the Radiant contract. Within the callback function, they repaid the 2 million USDC while simultaneously withdrawing the previously deposited USDC. Finally, the flash loan function called transferFrom to move the attacker’s USDC—including fees—into the contract. At this point, a fee of 9/10,000 was charged, which became part of the pool’s liquidity.

4. By repeating step 3 multiple times, the attacker inflated the liquidityIndex significantly, reaching a final value of 271800000000999999999999998631966035920.

5. Next, the attacker deployed a new contract and deposited 543,600 USDC into it. Since 5436 (the numeric value of USDC) is exactly twice 2718 (the numeric portion of the liquidityIndex), this enabled precise control over rounding behavior.

6. The attacker fully deposited the 543,600 USDC into the Radiant contract and received an equal amount of rUSDCn tokens.

7. The attacker withdrew 407,700 USDC. Normally, this should have burned an equivalent amount of rUSDCn. However, as noted earlier, the burn function uses precision scaling and rounding.
407700000000000000000000000000000000000 / 271800000000999999999999998631966035920 = 1.49999999, which rounds down to 1—resulting in a one-third shortfall.
As shown below, instead of burning 407,700 rUSDCn, only 271,800 were burned—meaning the attacker successfully withdrew 407,700 USDC while retaining excess tokens.

8. Exploiting the vulnerability identified in step 7, the attacker repeatedly performed deposit-and-withdraw cycles, each time extracting 1/3 more than they deposited, ultimately draining all USDC from the pool.

Fund Tracking
At the time of writing, the stolen 1,902 ETH remains unmoved in the attacker’s address. Beosin Trace will continue monitoring these funds.

As 2024 begins, we have already witnessed two major theft incidents. (Recap of yesterday’s security event: What happened in Orbit Chain, the year’s first major hack involving $80 million?) These events serve as a stark reminder that security vigilance remains critical within the Web3 ecosystem.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














