Blockchain security firms said the issue was caused by a “known rounding issue” in the codebase.
Cross-chain lending protocol Radiant Capital has paused its lending and borrowing markets on Arbitrum after receiving reports of a $4.5 million exploit affecting one of its newly created USDC Coin (USDC) markets.
“Today, we received a report of an issue with the newly created native USDC market on Arbitrum,” said Radiant in a Jan. 3 post on X (formerly Twitter), which they added was later validated by Radiant developers and the wider cybersecurity community.
Blockchain security firm Beosin described the exploit as a flash loan attack — with the attacker exploiting a “rounding issue” in the codebase, “which led to a cumulative precision error.”
This ultimately allowed the “attacker to profit through repeated deposit() and withdraw() operations,” it wrote in a Jan. 3 post on X.
An earlier Jan. 2 post from PeckShield also identified the issue as caused by a “known rounding issue” in the current Compound/Aave codebase.
“The root cause is not new: It basically exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave),” it added.
The ultimate Blockchain event by Cointelegraph is back – May 8-9, Hong Kong
The exploiter managed to siphon a total of $4.5 million in Ether
$2,364 from the protocol, according to data from Arbitrum block explorer Arbiscanner.
Radiant has since paused lending and borrowing markets on Arbitrum, and reassured investors that no additional funds were currently at risk. It promised a detailed postmortem, and pledged to restore normal operations once the investigation was completed.
“As a reminder, no action can be taken until the markets are unpaused on Arbitrum,” Radiant added.
Meanwhile, Crypto X has already been flooded with fake Radiant Capital accounts posting phishing links purporting to help users revoke approvals.
Radiant Capital is a decentralized borrowing and lending protocol with cross-chain functionality built using LayerZero technology. The protocol currently has around $315 million in total value locked, according to DefiLlama.