Hackers targeted Radiant Capital by employing malware to seize developer wallets, resulting in a theft exceeding $50 million.
As detailed in Radiant Capital’s post-mortem report, the event on October 16, 2024, was described as “one of the most advanced hacks ever documented in DeFi,” with losses amounting to over $50 million.
The attackers successfully infiltrated the hardware wallets of at least three developers associated with Radiant, using a sophisticated method of malware injection, although there are concerns that other devices may also have been impacted.
This malware altered the user interface of Safe{Wallet} (previously known as Gnosis Safe), showing authentic transaction information to the developers while simultaneously executing harmful transactions behind the scenes.
The breach occurred during a standard multi-signature emissions adjustment, a process that regularly occurs to respond to shifting market dynamics. The report indicated that even with multiple verification steps through Tenderly simulations and manual scrutiny, no irregularities were found during the signing phase.
The attackers exploited transaction resubmissions in Safe App, a typical issue arising from gas price variability or network congestion. By replicating these routine errors, they were able to accumulate multiple compromised signatures unnoticed and ultimately signed the “transferOwnership” function, enabling them to seize control of Radiant’s lending pools.
The incident impacted Binance Smart Chain (BSC) and Arbitrum, with the attackers leveraging these signatures to modify smart contracts, specifically exploiting the transferFrom function as previously identified by the Web3 security company De.Fi, which permitted them to drain assets from users who had approved the lending pools.
The report further mentioned that a number of protocols could be at risk, recommending various preventative strategies. These include establishing multi-layer signature verification, utilizing a separate device for transaction data verification, avoiding blind signing for critical operations, and instituting audits triggered by errors to identify possible problems prior to signing.
On October 18, independent developer Daniel Von Fange shared on X that the attackers were still in the process of draining any new assets directed to the compromised wallets, urging users to promptly revoke any approvals associated with the affected contracts to prevent further losses.
Post-attack actions
In response, Radiant Capital has temporarily halted its lending markets on BNB Chain and Arbitrum. In an October 17 post on X, Radiant announced its collaboration with multiple cybersecurity firms, including SEAL911, Hypernative, and Chainalysis, to investigate the breach and retrieve the stolen assets.
Immediate preventive steps taken by the lending protocol involve generating new cold wallet addresses using uncompromised devices for all Safe members, reducing the number of signers to seven, and raising the signing threshold to four out of seven. Additionally, contributors will verify transaction data for each transaction using the input data decoder on Etherscan to ensure heightened accuracy before signing.
The organization is also engaging with U.S. law enforcement agencies to freeze the stolen assets and trace the culprits while partnering with ZeroShadow to analyze the digital traces left by the attackers.
Dutch
English
French
German
Greek
Italian
Portuguese
Russian
Spanish