Radiant Capital Discloses Post-Mortem of Oct. 16 Attack That Resulted in Theft of Over $50M in Digital Assets

Radiant Capital has disclosed a post-mortem for the Oct. 16 attack that resulted in the theft of over $50 million in digital assets from the BNB Chain and Arbitrum networks.

DeFi platform Radiant Capital has disclosed a post-mortem for the Oct. 16 attack that saw over $50 million in digital assets stolen from the BNB Chain and Arbitrum networks. According to Radiant, the attacker compromised the devices of three of its long-standing developers.

Hackers were able to compromise the devices through a “sophisticated malware injection” used to sign malicious transactions.

“The devices were compromised in such a way that the front-end of Safe{Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background,” the Radiant team explained in a blog post.

Radiant Capital is a decentralized finance (DeFi) platform that allows users to earn interest and borrow assets across multiple blockchain networks. It operates like an “omnichain money market,” enabling cross-chain transactions on lending markets in different networks, such as Ethereum, BNB and Arbitrum.

The attack

According to the company, the breach occurred during a routine multisignature emissions adjustment, a process that takes place “periodically to adapt to market conditions and utilization rates.”

Multisignature is the dominant means of securing Web3 protocols. it requires multiple signatures to authorize a transaction.

Once the transactions were approved, the compromised devices intercepted these approvals and replaced them with a malicious transaction, which was then forwarded to the hardware wallets for signature. As soon as the Safe Wallet detected an issue, it displayed an error message, prompting the users to attempt the signature again.

This type of failure can arise from a number of factors, such as gas price fluctuations, nonce mismatch, network congestion, and insufficient gas limit, among others.

“As a result, this behavior did not raise immediate suspicion,” said the team. This process ultimately allowed the attackers to gather three valid signatures.

Losses across various attack types in 2024. Source: Hacken

As per Radiant, the signed transactions still appeared legitimate within the user interface, making the attack difficult to detect. The breach was also undetectable during the manual review of the Gnosis Safe UI and Tenderly simulation stages of the routine transaction.

“This has been confirmed by external security teams, including SEAL911 and Hypernative,” noted the post-mortem.

Along with draining assets worth $50 million, the hackers exploited open approvals to withdraw funds from users’ accounts. Other Radiant core developers may also have had their devices compromised. The protocol has requested users to revoke approvals on all chains to mitigate further incidents:

According to a report by cybersecurity firm Hacken, access control exploits were responsible for $316 million in lost funds during the third quarter. This accounts for nearly 70% of all crypto funds stolen during the quarter.