Radiant Capital (1st incident): Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0

Summary #

Radiant Capital (1st incident) suffered a Lending / Money Market (Aave V2 / Compound-lineage fork) on 2024-01-02, resulting in a loss of approximately $5M.

What happened #

Radiant Capital lost $4.5M just six seconds after activating a new USDC market — because the attacker monitored their governance proposal for weeks and had the exploit contract ready the moment the empty market went live.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — new USDC market activated via governance]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
• RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code (Aave V2 fork) — but design risk not caught as critical]
• RD-F-036 — related : ★ Flash-loanable voting weight — adjacent [via cross-hack: Factor 31: Permissionless Governance Execution Window]
• RD-F-038 — causal : Proposal execution delay < 24h [via cross-hack: Factor 31: Permissionless Governance Execution Window]
• RD-F-046 — related : ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
• RD-F-072 — causal : Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — governance activation of the new market was the trigger event]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Aave V2 fork]