Explained: The Radiant Capital Hack (October 2024)

In October 2024, Radiant Capital suffered its second attack of the year. The first incident involved a flashloan attack in which the attackers drained about $4.5 million from the protocol. The second attack eclipsed this by an order of magnitude, resulting in an estimated $53 million in losses from user wallets.

Inside the Attack

At its root, the Radiant Capital hack was caused by signers being tricked into approving malicious transactions. The protocol had implemented a 3-of-11 multi-sig scheme in which three private keys were needed to approve important transactions. However, the pool of eleven potential signers provided the attacker with multiple potential targets to compromise.

According to a statement by Radiant Capital, the attacker used malware to display legitimate transaction data in the Gnosis Safe wallet frontend, while malicious transactions were actually sent to the hardware wallets for signature and execution. The process exploited the fact that occasional transaction failures were normal and expected, allowing the attackers to collect legitimate signatures for malicious transactions without obviously disrupting the process of approving a legitimate transaction. Transactions were simulated on Tenderly and reviewed, but the use of blind signing meant that the issue wasn’t detected during the review.

Using these corrupted transactions, the attacker transferred control over the protocol’s Pool Provider contract. This contract managed the protocol’s various lending pools, and control was granted to a malicious contract.

This attacker-controlled contact was then used to upgrade the pool contracts to a malicious version. These new versions had the same access as the old legitimate versions, including to the funds in the wallets of users who had created approvals for the contract.

The attacker deployed malicious contracts on four chains used by Radiant Capital (BSC, ARB, BASE, and ETH). However, only the attacks on BSC and ARB were executed, netting the attacker an estimated $53 million.

Lessons Learned from the Attack

This second Radiant Capital hack demonstrates the importance of robust protection of private keys. While the protocol had implemented a multi-sig wallet and used hardware wallets, the combination of a relatively low signer threshold (3) and a large number of potential signers (11) created a significant attack surface.

The attacker used malware to carry out their attack, which meant that they needed to infect multiple developers’ devices with the malware. This is where the large number of potential signers became a liability since the attacker only needed to succeed in 3 of 11 attempts to infect the devices with malware. On a compromised device, the attack was undetectable unless signers went above and beyond to validate transaction integrity.

Critical projects require a robust security program to defend against varied and sophisticated threats. While Radiant Capital implemented many security best practices, the attacker found a way to slip through the cracks. For help in protecting your project against attacks, reach out to Halborn.