Radiant Capital Exploited for Over $50M

Radiant Capital, an omnichain money market platform, is reportedly facing a significant exploit, according to Web3 security firm Ancilia and on-chain data.

The attack began on Radiant's Arbitrum instance on Ethereum Layer 2 and later expanded to Binance Smart Chain (BSC), per data from Arkham Intelligence.

Ancilia wrote on X (formerly known as Twitter):

“We have noticed several transferFrom user's account through the contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had vulnerability functions.”

Hackers exploited the platform's transferFrom function, gaining access to user funds by spoofing wallet addresses.

Ancilia has advised users to revoke all Radiant contract permissions as a precautionary measure.

The breach occurred after a backdoor contract was deployed on Wednesday at 17:09 UTC, allowing the attacker unauthorised access to Radiant's liquidity pools.

The exploit, initially reported by Hacken, has drained at least $48 million in assets, including Wrapped Ether (WETH), Wrapped Bitcoin (WBTC), Arbitrum (ARB), USD Coin (USDC), and Tether (USDT), with tokens stolen from both Arbitrum and BSC liquidity pools.

The amount is now over $50 million.

The attacker transferred these assets to a wallet that currently holds over $51 million, with $32 million on Arbitrum and $18 million on BNB Chain.

The wallet, identified by address 0x0629b, shows a sharp increase in token balances, signaling the scale of the exploit.

Notably, this attack comes after a failed attempt by the same hacker on 10 October.

The incident involved the compromise of Radiant's MultiSig wallet, a security feature designed to enhance protection by requiring multiple transaction approvals.

The native RDNT token dropped by 7% following the breach, with its price down over 9% in the last 24 hours, trading at $0.06677 according to CoinMarketCap.

Hacken has warned users to revoke any permissions granted to Radiant's contracts immediately to safeguard their assets, noting that the malicious contract used in the exploit had been deployed two weeks prior, suggesting the attack had been planned in advance.

Ancilia Shares Link with Significant Threat Mistakenly

Ancilia has found itself in a precarious situation after mistakenly sharing a link that directed users to a crypto wallet drainer while trying to assist those affected by the over $50 million exploit of Radiant Capital.

A pseudonymous crypto commentator known as "Spreek" highlighted the issue by posting a screenshot of Ancilia's now-deleted message, which inadvertently re-shared a "scam link" from a fraudulent Radiant X account.

This link posed a significant threat, as it could have siphoned funds from any user who clicked on it and granted the associated permissions.

Expert Recommends Users to Revoke Approvals on Ethereum & Base

Tony Ke, Security Engineering Lead at FuzzLand, advised users to revoke approvals on Ethereum and Base networks, despite no confirmed compromise of Radiant Capital on these chains.

He said:

"Radiant capital has fallen victim to a hack causing $51mm in losses so far across Arbitrum and BnB chain. The Ethereum and Base deployments seem to be secure but we would warn anyone to be careful interacting with these contracts at this time."

According to DefiLlama, the funds stolen represent more than half of Radiant's $75.5 million total value locked (TVL).

Ke elaborated:

"Radiant leverages a multisig setup for their smart contract controls which seems to have been compromised internally.”

The nature of the attack suggests that the private keys may have been exposed through phishing, a compromised device, or possibly an insider breach, leading to the significant loss.

He added:

"As we learn more information about how this occurred, we will try to work in conjuction with the Radiant team to help in any fund recovery efforts possible."

Radiant Capital Suffers Two Exploits in a Year

Mudit Gupta, CISO at Polygon Labs, described the Radiant Capital exploit as a "key management failure," pointing to the platform's use of an 11-signer multi-signature wallet but requiring only 3 signatures to approve critical changes.

Alarming reports reveal that three of the private keys had been compromised.

Security analysts are investigating how these keys were accessed, suspecting phishing attacks on key holders or a breach in the platform's interface.

X user 0xBoboShanti also raised concerns about the low signer threshold, representing less than 30% of the total signers.

Sreeram Kannan, founder of restaking protocol EigenLayer, expressed:

“Many contracts today rely on multisigs, which is far from decentralized. At the end of the day, users aren't getting the trust that blockchain is supposed to provide.”

He concluded:

“We need to move beyond that.”

This marks Radiant's second breach in 2024, following a $4.5 million flash loan exploit in January.

Radiant Capital Suspends Lending

Following the breach, Radiant Capital has suspended its markets on Ethereum and the layer-2 network Base "until further notice."

The protocol urged users to revoke all permissions linked to its smart contracts, and Revoke.Cash has launched a tool to help users assess their risk.

Radiant has partnered with blockchain security firms SEAL911 and Hypernative to address the issue and prevent future incidents.

It has also advised users to remove questionable approvals and temporarily halted new transactions.

The community response has been one of concern, especially given recent DeFi sector breaches.

This incident raises critical questions about the effectiveness of current security measures in protecting users' assets.

While Radiant used a multi-signature wallet for protection, experts emphasize the need for real-time monitoring to prevent unauthorised access, and many are calling for stronger protections against losses of ETH, WBNB, and USDC.