Radiant Capital was hit Wednesday by an apparent private key compromise that resulted in the loss of as much as $58 million in user assets.
It was the second hack this year on the Blockchain lending platform, following a $4.5 million hit that Radiant suffered in a January attack.
A recent report by crypto security firms Hacken and Extractor noted that 95% of all stolen DeFi funds in the third quarter of 2024 “were lost forever” – with more than half of the $463 million in losses coming from Indian cryptocurrency exchange WazirX.
“Access control is the most dangerous attack, with losses double those of all other attacks combined,” the report said. “Smart contract vulnerabilities most commonly appear after new versions are deployed.”
Radiant Capital Hacker May Have Accessed Multiple Private Keys
Ancilia Inc. was one of the first to report the hack, noting on X that the firm had “noticed several transferFrom user’s account through the contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had vulnerability functions.”
Cyvers Alerts reported that the Radiant platform appeared to have “suffered a private key compromise, leading to an ongoing attack. A malicious actor gained control of multi-sig wallets and has already drained over $50 million in user assets.
“Users are strongly advised to avoid interacting with the protocol at this time and revoke all data approval for the protocol. Please exercise caution until the situation is resolved.”
De.Fi Antivirus noted that the hacker “managed to get access to 3 signers – thus managed to transfer ownership and upgrade the contracts.”
How the hacker managed to obtain multiple signers’ private keys and gain control of smart contracts was the subject of some debate; there was some speculation that some Radiant key holders may have fallen victim to phishing or malware attacks.
Radiant Capital has so far said little about the attack, its last update occurring almost a day ago:
“We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum. We are working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible. Markets on Base and Mainnet are paused until further notice.”
Radiant also urged users to revoke access to the following contracts on revoke.cash:
- 0xF4B1486DD74D07706052A33d31d7c0AAFD0659E1
- 0x30798cFe2CCa822321ceed7e6085e633aAbC492F
- 0xd50Cf00b6e600Dd036Ba8eF475677d816d6c4281
- 0xA950974f64aA33f27F6C5e017eEE93BF7588ED07
Web3 Security Firm Reshares Scammer’s Post
Discussions about the Radiant hack on X attracted multiple scammers that spoofed Radiant Capital accounts via typosquatting, or registering a name similar to the official @RDNTCapital account with misspellings that X users might not notice.
Web3 security firm Ancilia was one X user that got fooled and reshared a post from a scam account that included a link to a wallet drainer; the company subsequently apologized and deleted the post.
“We accidentally re-posted a scam link, apologized for that,” Ancilia said. “The post has been deleted. The official Twitter handle is @RDNTCapital”
The scammers remain quite active on X; here is an image of a similar post: