Post-mortem reveals stealthy malware injection led to $50m Radiant Capital exploit

Radiant Capital attackers used malware to hijack developer wallets and steal over $50 million in assets.

According to Radiant Capital’s post-mortem report, the attack on October 16, 2024, which caused a loss of over $50 million, was “one of the most sophisticated attacks ever recorded in DeFi.”

Attackers compromised the hardware wallets of at least three Radiant developers via an advanced malware injection, but it is believed more devices may be targeted.

The malware manipulated the front-end interface of Safe{Wallet} (formerly Gnosis Safe), exposing legitimate transaction data to developers while executing malicious transactions in the background.

The attack was carried out during the routine multi-signature emissions regulation process, which is performed periodically to adapt to changing market conditions. Despite multiple layers of verification through Tenderly simulations and manual reviews, no anomalies were detected in the signing process, the report said.

Attackers took advantage of the resending of Secure App transactions, which is common due to issues such as gas price fluctuations or network congestion. By mimicking these routine errors, the attackers undetectedly collected multiple compromised signatures and signed the “transferOwnership” function, which eventually transferred control of Radiant’s lending pools to the attackers.

The breach affected Binance Smart Chain (BSC) and Arbitrum; Attackers use these signatures to modify smart contracts, specifically exploiting the transferFrom function, as previously reported by Web3 security firm De.Fi. This allowed users who approved credit pools to withdraw their assets.

Additionally, the report added that many protocols may be at risk and recommended various preventive measures. These include implementing multi-layer signature verification, using a standalone device to verify transaction data, preventing blind signing for critical transactions, and setting up error-triggered checks to detect potential issues before signing.

In an Oct. 18 post, independent programmer Daniel Von Fange noted that attackers were still consuming assets transferred to compromised wallets and advised users to quickly revoke any approvals they had given to affected contracts to prevent further losses.

Post-hack precautions

Radiant Capital has since paused lending markets on BNB Chain and Arbitrum. In a post dated October 17, Radiant confirmed that it was working with several cybersecurity firms, including SEAL911, Hypernative, and Chainalytic, to investigate the incident and recover the stolen assets.

The immediate preventive measures of the lending protocol include creating new cold wallet addresses using uncompromised devices for each member of the Vault, reducing the number of signers to 7, and increasing the signature threshold to 4 out of 7. Additionally, contributors will confirm the transaction twice. Data for each transaction using the input data decoder in Etherscan to ensure greater accuracy before signing.

The company is also collaborating with ZeroShadow to analyze the digital footprint left by exploiters, while working with US law enforcement to freeze stolen funds and track down attackers.