Contents
Exploit Leads to $48 Million Loss at Radiant Capital
Security Breach and Token Crash
Security firm Hacken reports suspected breach at Radiant Capital
An incident at multichain money market Radiant Capital has resulted in a potential loss of $48 million due to a suspected breach in access control, as revealed by security firm Hacken.
Following the news of the security breach, the native token of the DeFi protocol, RDNT, experienced a 7% crash in value. The token continues to trade down by over 5% within the last 24 hours, currently at $0.067.
Compromised MultiSig Wallet
Hackers gain control by breaching MultiSig wallet
The breach involved compromising Radiant Capital’s MultiSig wallet, a security feature that usually requires multiple approvals for transactions. This breach allowed hackers to transfer ownership of the platform’s Pool Provider contract to a malicious contract, enabling them to withdraw significant assets from liquidity pools on Binance Smart Chain (BSC) and Arbitrum.
As a result, tokens such as Wrapped Ether (WETH), Wrapped Bitcoin (WBTC), Arbitrum (ARB), USD Coin (USDC), and Tether USD (USDT) were drained from lending pools on both chains.
Immediate Actions Advised
Users urged to revoke approvals and prevent further access
Hacken advised users to revoke any approvals granted to Radiant Capital immediately to prevent unauthorized access to their funds. The security firm also reported that the exploit was planned over two weeks, with the malicious contract deployed 14 days prior to the attack.
Tony Ke from FuzzLand recommended that users revoke approvals on Ethereum and Base as well, as a precautionary measure against potential unauthorized access to their assets.
Key Management Failure
Low signer threshold criticized by experts
Experts, including Polygon Labs’ CISO Mudit Gupta, called the exploit a “key management failure,” highlighting the use of a multi-signature wallet with a low signer threshold. Radiant Capital, with 11 authorized signers, only required 3 signatures for contract approval, raising concerns about security measures.
Repeat Offender
Previous exploit history at Radiant Capital
This is the second exploit suffered by Radiant Capital in 2024, with a previous flash loan-based exploit resulting in a $4.5 million loss in January. Following that incident, the protocol experienced a decline in total value locked (TVL), losing up to 37% within three weeks. Despite a recovery in TVL by March, the protocol’s funds locked continued to decrease, with a 75% loss year-to-date.