Radiant Capital - REKT

2024 is off to a bright start...
Lending protool Radiant Capital lost 1900 ETH ($4.5M), yesterday, to a known bug affecting freshly-launched markets.
Radiant, a fork of Aave V2, operates on Arbitrum and BSC, with the hack occurring on the Arbitrum deployment’s new native USDC market.
It appears the attacker had been lying in wait, likely having identified the vulnerability in Aave-forks via updates to the Aave protocol itself.
The attacker’s address, as well as Discord screenshots, were posted to Twitter, raising the alarm. An official confirmation came later, adding:
No current funds are at risk.
So, just the $4.5M that had already been stolen, then?

Credit: Peckshield, Ancilia
The issue in forked Aave V2 code affects recently-launched (and therefore empty) markets.
A potential attacker has a brief window after launch to use a flash loan to manipulate the value of collateral, thanks to the combination of a rounding error and a totalSupply value of 0.
The exploiter wasted no time, deploying their attack contract just six seconds after the new market was activated.
The bug was previously mitigated in the original Aave protocol by simply including an initial deposit with the creation of new markets, ensuring they are never sitting empty.
Given the speed of the attack, the attacker had clearly prepared everything in advance whilst waiting for the proposal to add the market (which passed on December 25th) to be enacted.
Attacker’s address: 0x826d5f4d8084980366f975e10db6c4cf1f9dde6d
Attack contract: 0x39519c027b503f40867548fb0c890b11728faa8f
Attack tx 1: 0x1ce7e9a9…
Attack tx 2: 0x2af55638…
Attack tx 3: 0xc5c4bbdd…
The Radiant Team has sent an on-chain message to the hacker’s address (where funds remain), and appear confident that they’re dealing with a whitehat “for various reasons”.

Despite four audits, from OpenZeppelin, BlockSec, Peckshield and Zokyo, a constantly-evolving security landscape means updates must be made in a timely manner.
Especially when dealing with forked code.
We've discussed the risks of forks plenty of times, with multiple leaderboard entries down to vulnerabilities patched in one place before being exploited elsewhere.
When copy-pasting an established project, more eyes are focused on the original project’s larger TVL, providing an early warning system for bugs like these.
But if lessons aren’t learned, there’s little to be done.
Are any other forked protocols planning to launch new markets soon?
Are they up to date on the risks?

REKT представляет собой общественную площадку для анонимных авторов. Мы не несём ответственность за выражаемые точки зрения или контент на этом веб-сайте.
Пожертвование (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
Дисклеймер:
REKT не несет никакой ответственности за любое содержание, размещенное на нашем Веб-сайте или имеющее какое-либо отношение к оказываемым нами Услугам, независимо от того, было ли оно опубликовано или создано Анонимным Автором нашего Веб-сайта или REKT. Не смотря на то, что мы устанавливаем правила поведения и нормы публикаций для Анонимных Авторов, мы не контролируем и не несем ответственность за содержание публикаций Анонимных Авторов, а также за то, чем делятся и что передают Авторы с помощью нашего Сайта и наших Сервисов, и не несем ответственность за любое оскорбительное, неуместное, непристойное, незаконное или спорное содержание, с которым вы можете столкнуться на нашем Веб-сайте и на наших Сервисах. REKT не несет ответственность за поведение, будь то онлайн или офлайн, любого пользователя нашего Веб-сайта или наших Сервисов.
Вам также понравится...
Radiant Capital - Rekt II
Radiant Capital gets a $53M haircut. Thought multi-sigs were safe? Think again. Radiant's "robust" 3/11 setup crumbled like a house of cards. Exploited twice in 2024, the future of Radiant looks about as bright as a black hole.
Onyx Protocol - Rekt II
Another Compound v2 fork that just can't catch a break, Onyx Protocol, has been exploited again. This time, the damage tally stands at a cool $3.8 million, siphoned off by the same high-profile vulnerability that bit them late last year.
Onyx Protocol - REKT
Compound fork Onyx Protocol lost $2.1M to a high-profile, well-known vulnerability on Tuesday. Many protocols have fallen victim to repeated vulnerabilities so far this year. Are devs paying attention?