Decentralized finance (DeFi) project Radiant Capital has claimed that groups analyzing its breach earlier this week “believe this was one of the most sophisticated hacks ever recorded in DeFi” and that “many protocols are at risk”.
Radiant and Web3 auditor Hacken estimated the approximate scale of the theft at $50 million, and it’s thought that USDT, USDC, and ARB tokens were stolen.
Multiple pools have been fully drained, including:
- USDC
- USDT
- wbETH
- bBTC
- wBNB
- WETH
- WBTC
- ARB
- wstETH— Hacken🇺🇦 (@hackenclub) October 16, 2024
This sum includes at least $16 million drained from a Radiant smart contract on BNB Chain, as well as funds stolen from some of Radiance’s trading pools on the Ethereum layer-2 network Arbitrum according to Hacken.
Radiant’s platform aims to provide liquidity across different blockchain protocols and allows users to deposit collateral and borrow assets.
Inside the hack
In a blog explaining the attack, Radiant claimed hackers successfully compromised at least three developers’ hardware wallets, though they were not able to say the exact number.
Radiant claims the hackers then used malware to “manipulate transaction data at the device level” and used “poisoned signatures” that looked legitimate to the signers authorizing the transaction.
The hackers allegedly used the compromised wallets to then carry out three multi-signature approvals to move crypto to wallets they controlled.
Radiant clarified that the impacted developers had all been “long-standing, trusted contributors” to its DAO.
Radiant claims the attack used a “sophisticated method” where Radiant developers, who were using popular Ethereum multisig wallet Safe{Wallet} for transaction verification, were presented with transactions that looked legitimate.
The project said hackers were able to get past multiple layers of verification, including full-stack Web3 interface Tenderly and other auditing tools.
Radiant Capital says it is working with U.S. law enforcement and Web3 cybersecurity firm ZeroShadow, to freeze the stolen assets and recover the funds.
The project said it is taking numerous steps to prevent future breaches, such as requiring that its contributors double-confirm transaction data for every transaction using analytics platform Etherscan.
In addition, contract upgrades and ownership transfers will now be subject to a minimum 72-hour delay, to give developers enough time to review and verify changes.
Though Radiance’s recent disaster may allegedly be one of the most sophisticated hacks in DeFi history, it's by no means the largest.
In May 2022, the Ronin Network, associated with the play-to-earn game Axie Infinity, suffered a $625 million loss at the hands of hackers.