Lending protocol Radiant Capital hacked for the second time this year, losing over $50 million.
Radiant Capital, a lending protocol, was hacked again on the 16th, resulting in a loss of over $50 million. This is the second attack on Radiant since January, and unrelated to the previous incident. Cybersecurity experts believe that in this case, the attackers obtained 3 out of the 11 multi-signature private keys in Radiant, allowing them to upgrade the protocol's smart contract and steal funds.
Radiant hacked for $4.5 million, Arbitrum USDC lending market temporarily suspended
Table of Contents
Radiant Capital Private Key Stolen
According to cybersecurity firm De.Fi, attackers exploited the transferFrom function in the Radiant protocol to launch attacks on the BNB chain and Arbitrum chain, depleting user accounts of tokens including USDC, WBNB, and ETH.
This attack involved control of a multisig wallet, where the attackers were able to modify smart contracts and execute fund transfers by stealing private keys from multiple signers.
Fuzzland's Head of Security Research, Tony Ke, also pointed out to The Block that Radiant on Ethereum and Base seems unaffected, but users should still exercise caution when interacting with contracts.
🚨~$58,000,000 Exploit Alert🚨
Radiant Capital contracts were exploited on BSC & ARB chains with the ‘transferFrom’ function, which allowed to drain users’ funds, namely $USDC $WBNB $ETH and others
⚠️Revoke approvals ASAP👇
0xd50cf00b6e600dd036ba8ef475677d816d6c4281 pic.twitter.com/oUHyshwEmL— De.Fi Antivirus Web3 🛡️ (@De_FiSecurity) October 16, 2024
Radiant Capital Response
Radiant Capital later confirmed the protocol was compromised in a tweet and stated they are working with several cybersecurity companies, including SEAL911, Hypernative, ZeroShadow, and Chainalysis to investigate the incident and recover losses, without providing specific details.
Currently, Radiant has halted the BNB chain and Arbitrum markets and asked users to await further instructions.
Attacker 0x…98962 initially held over $32 million on Arbitrum and $18 million on the BNB chain, with the largest holdings being wstETH and weETH, and has begun massive fund transfers.
We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum. We are working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible. Markets on Base and Mainnet are paused until further notice.
— Radiant Capital (@RDNTCapital) October 16, 2024
In January of this year, Radiant fell victim to a flash loan attack due to a smart contract vulnerability, losing approximately 1,900 ETH valued at around $4.5 million. Following this incident, all cybersecurity firms, including Radiant, urge users to promptly revoke contract authorizations.
The authorization revocation site Revoke has introduced a "Signature Panel" feature! It allows cancellation of past signatures to avoid potential phishing risks.
Related
- After being hacked for $235 million, WazirX publicly disclosed 240,000 wallet addresses and implemented debt restructuring.
- Pendle derivative protocol Penpie hacked, loses 27 million euros, PNP token plunges 40%
- Breaking News: Licensed Japanese exchange DMM hacked, 4,503 bitcoins stolen, resulting in a loss of 48.2 billion yen.