Radiant Capital, a prominent decentralized finance (DeFi) protocol, has fallen victim to a major security breach, resulting in the loss of approximately $50 million USD.
The attack, which exploited vulnerabilities in the devices of long-standing, trusted developers, has been described as one of the most sophisticated hacks in DeFi history.
Details of the Attack
The breach targeted at least three developers, all of whom used hardware wallets and were geographically distributed. Attackers infiltrated these devices through an advanced malware injection process.
The malware manipulated the transaction data displayed on the front-end of Safe{Wallet} (formerly Gnosis Safe), leading developers to unknowingly sign malicious transactions.
These transactions appeared legitimate during manual reviews in simulation tools such as Tenderly, leaving no detectable anomalies until the funds were drained.
The breach occurred during a routine multi-signature emissions adjustment process a standard procedure in the DAO’s operations.
Despite adhering to rigorous industry-standard protocols, including multiple manual transaction reviews, the attackers bypassed all detection mechanisms.
This stealthy approach enabled them to authorize unauthorized transferOwnership actions, effectively seizing control of key protocol components on the Arbitrum and Binance Smart Chain (BSC) networks. They also exploited open approvals to withdraw funds from user accounts.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The Fallout
The attackers drained funds primarily from Radiant Capital’s core markets on Arbitrum and BSC. In response, the Radiant DAO took immediate actions to contain the damage:
Users were strongly urged to revoke token approvals across all supported chains, including Arbitrum, BSC, Ethereum, and Base.
The DAO has engaged U.S. law enforcement and partnered with cybersecurity firm ZeroShadow to freeze stolen assets and identify the perpetrators.
To prevent further damage, key operations across compromised networks were paused, and a comprehensive overhaul of the security framework was initiated.
The attackers’ strategy involved exploiting routine transaction errors, a common occurrence in multi-signature operations. Developers were prompted to resubmit signatures after encountering front-end error messages.
This allowed attackers to collect three valid but malicious signatures without raising suspicion. The malware ensured that all displayed transaction data seemed legitimate, leveraging the trust placed in front-end interfaces and hardware wallets.
Notably, the attackers also used gas price fluctuations, nonce mismatches, and network congestion normal issues in blockchain transactions to further obscure their activities. External security teams, including SEAL911 and Hypernative, confirmed that the breach was undetectable through standard review processes.
Immediate Post-Breach Measures
In the aftermath of the attack, Radiant Capital has implemented several security upgrades to mitigate future risks. Key measures include:
- Fresh Wallets: Contributors created new cold wallet addresses using uncompromised devices.
- Reduced Signer Thresholds: The number of signers for key transactions was reduced to seven, with a signing threshold increased to four out of seven.
- Transaction Verification: Enhanced multi-layer verification processes were introduced, including manual reviews of raw transaction payloads using tools like Etherscan’s input data decoder.
- Timelocks and Separation of Permissions: Minimum 72-hour timelocks were implemented for critical actions, and permissioned roles were separated across contracts to reduce centralized risks.
- Protocol Redeployment: The core Aave V2 lending suite contracts are being redeployed on secure systems.
This breach highlights the pressing need for stronger safeguards in DeFi ecosystems. Radiant’s case underscores several potential security improvements for the broader DeFi community, including:
- Independent devices for transaction verification.
- Avoiding blind signing on hardware wallets and ensuring transaction data is readable on all interfaces.
- Automatic audits triggered by recurring transaction errors.
Radiant Capital has reiterated its commitment to assisting affected users and working with agencies to recover stolen funds. The DAO has reassured its community of its ongoing efforts to enhance security and rebuild trust.
While the attack has been devastating, Radiant’s proactive response including widespread transparency and collaboration with global authorities serves as a valuable case study for tightening security within the rapidly evolving DeFi space.
Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free