Post-mortem Reveals Stealthy Malware Injection Led To $50m Radiant Capital Exploit
Radiant Capital attackers used malware to hijack developer wallets and swipe over $50 million in assets.
According to Radiant Capital’s post-mortem report, the attack on Oct. 16, 2024, which led to losses upwards of $50 million, was “one of the most sophisticated hacks ever recorded in DeFi.”
The attackers compromised the hardware wallets of at least three Radiant developers through a sophisticated malware injection, though it is believed that more devices may have been targeted.
The malware manipulated the front-end interface of Safe{Wallet} (formerly known as Gnosis Safe), displaying legitimate transaction data to the developers while executing malicious transactions in the background.
The attack was executed during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to changing market conditions. Despite multiple layers of verification through Tenderly simulations and manual reviews, no anomalies were detected during the signing process, the report added.
The attackers took advantage of Safe App transaction resubmissions, a common occurrence due to issues like gas price fluctuations or network congestion. By mimicking these routine errors, the attackers collected multiple compromised signatures unnoticed, eventually signing the “transferOwnership” function, which transferred control of Radiant’s lending pools to the attackers.
The breach affected Binance Smart Chain (BSC) and Arbitrum, with the attackers using these signatures to alter smart contracts, specifically exploiting the transferFrom function as previously reported by Web3 security firm De.Fi. This allowed them to drain assets from users who had granted approval to the lending pools.
Further, the report added that many protocols might be at risk and suggested several preventative measures. These include implementing multi-layer signature verification, using an independent device for verifying transaction data, avoiding blind signing for critical transactions, and setting up error-triggered audits to catch potential issues before signing.
In an Oct. 18 X post, Independent programmer Daniel Von Fange noted that the attackers were still draining any assets being transferred to the compromised wallets and advised users to quickly revoke any approvals they had given to the affected contracts to avoid further losses.
Radiant Capital has since paused its lending markets on BNB Chain and Arbitrum. In an Oct. 17 X post, Radiant confirmed it was working with several cybersecurity firms, including SEAL911, Hypernative, and Chainalysis, to investigate the incident and recover the stolen assets.
The lending protocol’s immediate preventive measures include generating fresh cold wallet addresses using uncompromised devices for each member of the Safe, reducing the number of signers to 7, and increasing the signing threshold to 4 out of 7. Further, contributors will also double-confirm transaction data for each transaction using the input data decoder on Etherscan to ensure added accuracy before signing.
The company is also working with U.S. law enforcement agencies to freeze the stolen funds and trace the attackers while collaborating with ZeroShadow to analyze the digital footprint left by the exploiters.
Ether Surges 16% Amid Speculation Of US ETF Approval
New York, USA – Ether, the second-largest cryptocurrency by market capitalization, experienced a significant surge of ... Read more
BlackRock And The Institutional Embrace Of Bitcoin
BlackRock’s strategic shift towards becoming the world’s largest Bitcoin fund marks a pivotal moment in the financia... Read more
Robinhood Faces Regulatory Scrutiny: SEC Threatens Lawsuit Over Crypto Business
Robinhood, the prominent retail brokerage platform, finds itself in the regulatory spotlight as the Securities and Excha... Read more
Grayscale Bitcoin Mini ETF Bags $15M From Major Investor
Today, Emory University has reported a substantial investment in Grayscale Bitcoin Mini ETF. The university has invested... Read more
Polymarket CEO Rebuffs Partisan Claims From New York Times
Polymarket CEO Shayne Coplan shot down New York Times allegations claiming the prediction platform is politically biased... Read more