Post-mortem reveals stealthy malware injection led to $50m Radiant Capital exploit
Radiant Capital attackers used malware to hijack developer wallets and swipe over $50 million in assets.
According to Radiant Capital’s post-mortem report, the attack on Oct. 16, 2024, which led to losses upwards of $50 million, was “one of the most sophisticated hacks ever recorded in DeFi.”
The attackers compromised the hardware wallets of at least three Radiant developers through a sophisticated malware injection, though it is believed that more devices may have been targeted.
The malware manipulated the front-end interface of Safe{Wallet} (formerly known as Gnosis Safe), displaying legitimate transaction data to the developers while executing malicious transactions in the background.
The attack was executed during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to changing market conditions. Despite multiple layers of verification through Tenderly simulations and manual reviews, no anomalies were detected during the signing process, the report added.
The attackers took advantage of Safe App transaction resubmissions, a common occurrence due to issues like gas price fluctuations or network congestion. By mimicking these routine errors, the attackers collected multiple compromised signatures unnoticed, eventually signing the “transferOwnership” function, which transferred control of Radiant’s lending pools to the attackers.
The breach affected Binance Smart Chain (BSC) and Arbitrum, with the attackers using these signatures to alter smart contracts, specifically exploiting the transferFrom function as previously reported by Web3 security firm De.Fi. This allowed them to drain assets from users who had granted approval to the lending pools.
Further, the report added that many protocols might be at risk and suggested several preventative measures. These include implementing multi-layer signature verification, using an independent device for verifying transaction data, avoiding blind signing for critical transactions, and setting up error-triggered audits to catch potential issues before signing.
In an Oct. 18 X post, Independent programmer Daniel Von Fange noted that the attackers were still draining any assets being transferred to the compromised wallets and advised users to quickly revoke any approvals they had given to the affected contracts to avoid further losses.
Post-hack measures
Radiant Capital has since paused its lending markets on BNB Chain and Arbitrum. In an Oct. 17 X post, Radiant confirmed it was working with several cybersecurity firms, including SEAL911, Hypernative, and Chainalysis, to investigate the incident and recover the stolen assets.
The lending protocol’s immediate preventive measures include generating fresh cold wallet addresses using uncompromised devices for each member of the Safe, reducing the number of signers to 7, and increasing the signing threshold to 4 out of 7. Further, contributors will also double-confirm transaction data for each transaction using the input data decoder on Etherscan to ensure added accuracy before signing.
The company is also working with U.S. law enforcement agencies to freeze the stolen funds and trace the attackers while collaborating with ZeroShadow to analyze the digital footprint left by the exploiters.