
Launched and hacked in seconds: Radiant Protocol loses $4.5 million
TechFlow Selected TechFlow Selected

Launched and hacked in seconds: Radiant Protocol loses $4.5 million
The reason is that in the new USDC market, the rounding error in the 'burn' function's math was amplified and exploited, allowing the hacker to withdraw extra USDC.
By Daniel Tan
On January 3, 2024, Beijing time, the Radiant Protocol on Arbitrum suffered a flash loan attack. The hacker launched three attacks against #Radiant Protocol, resulting in a total loss of 1,902 ETH (worth $4.5 million). The root cause was a mathematical rounding issue in the "burn" function of the newly deployed $USDC market, which the attacker exploited to withdraw extra $USDC.
MetaTrust Labs conducted an in-depth investigation and analysis of this attack, revealing how the vulnerability was exploited by the attacker.
Radiant Protocol – Lending Platform
Radiant is a decentralized, non-custodial lending protocol operating across multiple chains, including Arbitrum, BNB Chain, and Ethereum.

After the attack, the total value locked (TVL) in Radiant Protocol remained at $313 million, as the team promptly paused the protocol post-attack, preventing further losses.

Timeline

Transactions
0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d
0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243
0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b
Loss of Assets
The three attack transactions led to a total loss of over 1,902 ETH, worth more than $4.5 million. At the time of writing, the 1,902 $ETH remains in the hacker’s wallet (0x826d5f4d8084980366f975e10db6c4cf1f9dde6d).
Attacker
0x826d5f4d8084980366f975e10db6c4cf1f9dde6d
Attack Contract
0x39519c027b503f40867548fb0c890b11728faa8f
Targeted Contracts
Radiant: Lending Pool:
0xf4b1486dd74d07706052a33d31d7c0aafd0659e1
rUSDCn:
0x3a2d44e354f2d88ef6da7a5a4646fd70182a7f55
What Happened Before the Attack
Just 15 seconds before the attack, the project team had created a new USDC market on Arbitrum. The hacker was the first user to interact with this newly created USDC market.

Attack Steps
Take the first attack transaction 0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b as an example.
1. Borrow $3 million USDC via flash loan from Aave;
2. Deposit 2M $USDC into Radiant Pool, where liquidityIndex is 1e27;

3. Perform a $2 million flash loan on Radiant Lending Pool, increasing liquidityIndex to 1.8e36;
4. Repeat step 3 for 151 times, amplifying liquidityIndex up to 2.7e38—270 billion times its initial value;

5. Borrow 90.6 $ETH (~$215K) from Radiant Pool—this is the profit from the attack;
6. Create a new contract (0xd8b591);
7. Approve unlimited USDC allowance to the new contract, transfer 543K $USDC into it, and execute subsequent steps through this new contract;
8. Deposit 543K $USDC into Radiant Pool, minting only 2 wei tokens, because amountScaled = 2: (543600000002 * 1e27) / 271800000000999999999999998631966035920 = 2;


9. Withdraw 407K $USDC from Radiant Pool, burning only 1 wei token, because amountScaled = 1: (407700000000 * 1e27) / 271800000000999999999999998631966035920 = 1.5, but due to integer truncation in uint256 arithmetic, 1.5 becomes 1;


10. Deposit 271K $USDC into Radiant Pool, minting amountScaled = 1 token: (271800000001 * 1e27) / 271800000000999999999999998631966035920 = 1;
11. Withdraw 407K $USDC from Radiant Pool, burning only amountScaled = 1 token;
12. Repeat steps 10 and 11 up to 18 times, draining all previously deposited $USDC from the new market;
13. Swap 2 $WETH for 4.73K $USDC, then swap 3.23K $USDC for 1.36 $WETH;
14. Repay the Aave flash loan using $3 million USDC principal and $15,000 USDC as fee;
15. Realize a profit of 90 ETH.
Root Cause
The root cause lies in the fact that the attacker was the first to interact with the newly created native USDC market. By leveraging Radiant Protocol's flash loan functionality, the attacker amplified the liquidityIndex and exploited a mathematical rounding flaw in the burn function to steal assets from the lending pool.
Critical Code


Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










