Entry_point: rayDiv() arithmetic-and-state function during new market initialization + flash loan logic
Exploit_vector: Attacker manipulated small pool initialization and a liquidity index calculation with a rounding error, enabling them to withdraw more funds than they deposited via flash loan cycles.
Severity: Critical
Attack_steps:
Attacker took a ~$3M USDC flash loan from Aave.
Deposited 2M USDC into a newly deployed Radiant USDC market with uninitialized totalSupply.
In flash loan callback, liquidated liquidity index by swapping withdrawals, triggering rounding discrepancies in rayDiv().
Repeated deposit-withdraw loops (~18 iterations), draining ~$2.8M via the liquidity index error.
Root_cause: Rounding/precision flaw in rayDiv() calculation when handling initial low-liquidity markets; lack of safe-initialization and parameter validation.