Radiant Capital Resumes Ethereum Lending Markets After a Hack That Cost About $58M

On Nov. 1, the lending protocol said it had implemented improvements including transferring ownership into a timelock contract.

Decentralized lending protocol Radiant Capital has announced the resumption of its Ethereum lending markets following an exploit that resulted in the theft of approximately $58 million in digital assets.

On Nov. 1, the lending protocol stated that it had implemented several improvements, including transferring ownership into a timelock contract. According to the Radiant Capital team, this measure enforces a mandatory 72-hour waiting period for any adjustments, enhancing Radiant’s security.

The team also implemented an emergency admin role governed by a multisignature structure. This role is designed to pause and unpause the lending protocol’s markets as needed.

Furthermore, its decentralized autonomous organization (DAO) has adjusted its multisignature security, reducing the number of required signers to seven and setting a four-out-of-seven signing threshold.

Multisignature wallets enhance security by requiring multiple signatures to execute or process crypto transactions. This setup eliminates the risk of a single point of failure associated with having only one private key.

The security enhancements follow an exploit that led to $58 million in digital asset losses. On Oct. 16, Radiant Capital halted its lending markets after a cybersecurity breach on BNB Chain and Arbitrum.

An attacker gained control of several signers’ private keys and smart contracts. This incident allowed the hackers to drain over $50 million in assets from the protocol.

On Oct. 18, Radiant Capital confirmed in a post-mortem that the attackers had compromised the devices of at least three of its core developers by injecting malware.

Radiant Capital stated that the devices were compromised in a way where the front-end of their wallets displayed legitimate transaction data while malicious transactions were being signed and executed in the background.

In an X post, security professional Patrick Collins described the incident as a “$50 million lesson” that the decentralized finance (DeFi) space needs to remember. According to Collins, there is an educational or tooling gap in verifying transactions using hardware wallets.

Meanwhile, the Radiant Capital hacker has already moved about $52 million of the stolen funds from the incident. On Oct. 24, blockchain security firm PeckShield reported that the exploiter had already moved “nearly all” of the stolen funds.