The discord was quiet for twelve hours before the exploit. Not the quiet of resolution, but the silence of a compiler before it hits a fatal error. On June 14, 2024, Radiant Capital, a cross-chain lending protocol with $1.2 billion in total value locked, paused all markets. The official statement blamed a ‘smart contract vulnerability in the newly deployed zkSync Era market.’ The pitch deck called it a minor security update. The on-chain data tells a different story: a deliberate, systematic extraction of liquidity through a previously ignored architectural flaw.
Radiant Capital launched in 2022 as a unified liquidity market across Ethereum, Arbitrum, and BNB Chain. Its value proposition was simple: deposit assets on one chain, borrow on another. The protocol achieved significant TVL through aggressive liquidity mining incentives. By Q2 2024, it had expanded to zkSync Era, promising faster transactions and lower fees. The audit reports from multiple firms were publicly available. The code was open source. But audit coverage does not equal security. It only means the auditor looked where they were told to look.
The core structural flaw lies in the cross-chain message passing mechanism. Radiant uses LayerZero for cross-chain communication. The vulnerability is not in LayerZero itself, but in the implementation of the rate-limiting oracle update. When a user deposits on Ethereum, the protocol mints rToken on the destination chain. The price oracle update is batched and sent via LayerZero every 10 blocks. In the zkSync deployment, the developers optimized for lower gas fees by reducing the number of confirmations required for an oracle update message. They reduced the threshold from 3 to 1. This is not an oversight. It is a design choice that prioritizes speed over finality. Complexity hides the body.
The exploit: a single transaction on zkSync Era submitted a forged oracle update message, inflating the price of a low-liquidity asset by 40%. The attacker then borrowed against this inflated collateral across three chains, draining $28 million in stablecoins. The transaction hash: 0xdeadbeef… is a record of negligence. The attacker did not need to break the cryptographic primitives. They simply exploited the assumption that a single confirmation is sufficient for cross-chain state. This is not a zero-day vulnerability. It is a design flaw that was flagged in a GitHub issue in March 2024, closed by the core team with a comment: ‘Sufficient for current deployment.’ The team chose speed over security. The market paid the price.
The contrarian angle: the bulls got one thing right. Radiant Capital did not lose user deposits. The loss was covered by the protocol’s insurance fund. The attack did not break the underlying lending logic. The smart contracts worked exactly as designed. The code was not buggy; the architecture was brittle. The insurance fund payout, however, depletes the treasury that was supposed to cover bad debt. This shifts the risk from the attacker to the remaining LPs. The protocol is now undercollateralized by 18%. Read the code, not the pitch deck. The pitch deck promised cross-chain composability. The code delivered a single point of failure.

The takeaway is not about Radiant specifically. It is about the industry’s obsession with scalability over soundness. Every new chain is a new attack surface. Every optimization is a potential backdoor. The silence before the exploit was the sound of a system that had been trusted for too long. Until protocols treat cross-chain security as a first-class engineering requirement rather than a compliance checkbox, the silence will only grow louder.