Radiant Capital Suffers $50M Hack in One of DeFi’s Most Sophisticated Attacks

Radiant Capital Suffers $50M Hack in One of DeFi’s Most Sophisticated Attacks

Radiant Capital recently suffered a devastating attack in which over $50 million in assets were stolen, as detailed in their post-mortem report. The breach, which occurred on October 16, 2024, is being described as “one of the most sophisticated hacks ever recorded in DeFi.”

The attackers managed to compromise the hardware wallets of at least three Radiant developers by using advanced malware, with suspicions that more devices may have been affected. The malware targeted the Safe{Wallet} interface (formerly Gnosis Safe), tricking developers into believing they were signing legitimate transactions while secretly authorizing malicious ones.

This breach occurred during a routine multi-signature emissions adjustment, a regular process designed to optimize Radiant’s protocols in response to market shifts. Despite using both Tenderly simulations and manual checks, the attackers managed to avoid detection. The hackers exploited Safe App’s transaction resubmissions (typically caused by gas price changes or network congestion) making the malicious signatures appear as standard errors.

The pivotal point of the attack involved the “transferOwnership” function. By collecting several valid signatures, the hackers successfully gained control of Radiant’s lending pools. This allowed them to manipulate smart contracts on both Binance Smart Chain (BSC) and Arbitrum, taking advantage of previously granted permissions by users to drain their assets.

Web3 security firm De.Fi identified that the exploit centered on the manipulation of the “transferFrom” function. The attackers continued siphoning off assets from the compromised pools, prompting independent developer Daniel Von Fange to warn users to revoke any existing approvals to prevent further losses.

In response, Radiant Capital has halted its lending operations on BNB Chain and Arbitrum. In a statement made on October 17, the team confirmed its collaboration with cybersecurity experts from SEAL911, Hypernative, and Chainalysis to investigate the attack and attempt to recover the stolen funds.

Radiant has also implemented a series of immediate security measures, including generating new cold wallet addresses from uncompromised devices and reducing the number of authorized signers from 9 to 7, with a new signing threshold of 4 out of 7. Additionally, contributors will now verify transaction data more rigorously using input data decoders from Etherscan.

The protocol is also working closely with U.S. law enforcement to freeze the stolen funds and trace the perpetrators, while partnering with cybersecurity firm ZeroShadow to analyze the digital trail left by the hackers.

As the investigation continues, Radiant has urged users to revoke permissions tied to the affected contracts to mitigate further losses.