A cryptocurrency thief stole millions in record time. Just six seconds after a new smart contract was issued by an organization called Radiant Capital, the perpetrator illegally minted and withdrew over 1,900 units of the cryptocurrency Ethereum. At the time of the crime on Tuesday, this amounted to approximately 4.5 million US dollars or four million euros.
Radiant Capital is a decentralized autonomous organization (DAO) that describes itself as “the future of DeFi” and “DeFi 3.0.” It wants to support cryptocurrency gamblers by enabling the granting and withdrawal of cryptocurrency loans across different blockchains and cryptocurrencies. In technical terms, this is called an on-chain lending contract. DeFi 1.0 suffers from having too many imitators, which is why almost all cryptocurrencies will soon become worthless.
Thanks to “revolutionary changes”, Radiant v2 will make everything better, as we promised a year ago. The cross-chain lending contract launched on Tuesday was not a revolution, but rather an imitation: Radiant Capital recycled code from existing cryptocurrency lending platforms Aave and Compound.
Predatory rounding error
In doing so, the operators committed an almost already known error. The thief took advantage of this, cryptanalysis providers Peckshield and Beosin reported. The perpetrator found a way to double the rounding error; In a very short period of time, he repeatedly took out very short-term loans (fast loans) and repaid them immediately. The rounding error left him with something left in each round, so he eventually managed to take home around 1,902.6 ETH.
Radiant Capital initially shut down the misleadingly named smart contract; This means that no further trades are possible until further notice. However, the theft immediately attracted other scammers. They are pretending to be Radiant Capital and are only offering seemingly well-intentioned advice: anyone who has granted Radiant Capital access to their cryptocurrency wallet should revoke those permissions immediately so as not to risk losses. Helpfully, the scammers immediately post appropriate links to websites where users can take the recommended step after proper authentication. In fact, this is trolling. Anyone who logged in there was lost.
Meanwhile, the real operators of Radiant Capital are trying to negotiate with the clever millionaire thief. They sent him this love letter via the Ethereum blockchain:
Hello, We wanted to contact you about the vulnerability you exploited today. Well done on finding it! We assume you performed this exploit as a white or gray hat (for various reasons), so we look forward to opening communications to arrange next steps. Send us a message at [email protected] so we can talk more. Looking forward to chatting soon
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.