Radiant Capital, a leading DeFi platform, has announced an ongoing collaboration with US law enforcement and Web3 security experts to recover over $50 million stolen in a recent hack.
In a detailed report released on Oct. 18, Radiant described the breach as one of the most complex hacks ever seen in DeFi. The team also warned that similar vulnerabilities could affect other protocols.
Post-mortem report
According to the report, the attackers used sophisticated malware to compromise the hardware wallets of at least three developers.
Radiant Capital claimed that the malware compromised the devices in a way that the front-end of Safe{Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background.
Notably, the attack coincided with Radiant’s regular emissions adjustment process to respond to shifting market conditions. Despite thorough security checks, including manual reviews and Tenderly simulations, no suspicious activity was flagged during the process.
However, the incident’s stealth was particularly alarming. The attackers mimicked typical transaction errors to gather multiple signatures undetected. Once they had the necessary signatures, they executed the “transferOwnership” function, seizing control of Radiant’s lending pools.
The exploit targeted both Binance Smart Chain (BSC) and Arbitrum networks, allowing the attackers to manipulate the “transferFrom” function within the smart contracts. This enabled them to drain funds from users who had previously granted permission to Radiant’s lending pools.
Meanwhile, Safe{Wallet} has rejected any assertions that its interface was compromised during the attack. A spokesperson for the firm told CryptoSlate that the incident “stemmed from a blind signing error.”
On social media platform X, Safe{Wallet} stated that its front-end functioned as expected during the incident. According to the firm, The Safe{Wallet} interface remained uncompromised, and a valid transaction was created using the Transaction Builder.
Radiant Capital’s response
As part of their immediate security overhaul, the team has generated new cold wallet addresses for each team member using a secure, uncompromised device.
Additionally, security around Radiant’s Admin and DAO multisig wallets has been tightened. The number of signers was reduced to seven, with a new rule requiring four out of seven signatures to approve any transaction. This change ensures that 60% of signers must validate any transaction before it proceeds.
Further, to protect against future attacks, all contract updates and ownership transfers will now be delayed by at least 72 hours. This delay, enforced by timelock contracts, provides both the Radiant community and its developers ample time to review any proposed changes before they take effect.
Radiant Capital also outlined measures to help safeguard other protocols from similar threats. These include adopting more stringent signature verification processes, using separate devices to check transaction data, avoiding blind signing of critical transactions, and implementing audits triggered by error messages to catch vulnerabilities early.
**Editor’s Note** Updated to include statements from Safe{Wallet}.
