Radiant Capital Releases Post-Mortem Analysis of $50M Attack

Radiant Capital has released a detailed analysis of the October 16 exploit that led to the loss of more than $50 million in user funds.

According to the post-mortem, the attacker used highly advanced malware to poison transactions, enabling them to steal funds during a routine multi-signature process.

Attack Methodology Exploited Common Errors

It all started with the hacker compromising hard wallets belonging to three of the protocol’s core developers and injecting them with malware that mimicked legitimate transactions. As the developers signed what they believed were routine emissions adjustments, the malware executed unauthorized transactions in the background.

Radiant Capital reiterated that its contributors followed standard operating procedures to the letter in the fateful process. They simulated each transaction for accuracy on the full-stack Web3 infrastructure platform, Tenderly, while also putting them through individual review at every signature stage.

Despite these multiple layers of verification, front-end checks showed no visible signs of anomalies even as the malware wormed its way into the protocol’s systems.

What also stood out in the company’s assessment was how the attacker took advantage of common transaction failures to execute the hack. They used wallet resubmissions, often caused by gas price fluctuations or network congestion, as cover to collect the private keys, all while maintaining the appearance of normalcy.

The perpetrator then gained control of some smart contracts and eventually siphoned millions of dollars worth of cryptocurrencies, including USDC, wrapped BNB (wBNB), and Ethereum (ETH).

The actual amount stolen varies between $50 million and $58 million, depending on the source reporting it. However, the decentralized finance (DeFi) platform has stated the lower figure in its accounting of the incident.

FBI Tapped to Help Recover Stolen Funds

In the report, the cross-chain lender said it is working closely with U.S. law enforcement, including the FBI, as well as cybersecurity firms SEAL911 and ZeroShadow to track the stolen crypto.

Further, as a precaution, it advised users to revoke approvals across all chains, including Arbitrum, BSC, and Base. This step is in response to the exploiter capitalizing on open approvals to drain funds from accounts.

Radiant Capital has also created new cold wallets and adjusted signing thresholds to improve the platform’s security. Likewise, it has introduced a mandatory 72-hour delay for all contract upgrades and ownership transfers. It is meant to give the community enough time to check transactions before final execution.

However, given the level of sophistication in the breach, the firm has conceded that even these measures may not have prevented the attack.

DeFi exploits have grown at an alarming pace, and a couple of recent surveys paint a drab picture. According to PeckShield, there were more than 20 hacks in September, leading to more than $120 million in losses.

In addition, another on-chain security firm, Hacken, announced that more than $440 million stolen from crypto platforms in the third quarter of 2024 had been lost forever.