KEY POINTS
- Two security analytics firms have said the total amount stolen has reached $58 million
- Industry experts raised concerns over the protocol's low signature requirement for its multisig
- Radiant has since paused its markets, but has yet to provide a detailed breakdown on the breach
Major cross-chain lending protocol Radiant Capital paused its lending markets after suffering millions in losses due to a breach that affected some of its smart contracts on the BNB Chain and Arbitrum network, rocking the cryptocurrency community to the core, given the size of the protocol.
Multiple security analytics firms delved into the massive breach, and some prominent figures in the industry raised concerns about how a leading protocol could have been hit by a cybersecurity attack.
How Did It Happen?
Blockchain security auditor QuillAudits was one of multiple security-related firms that looked into how the attacker was able to gain access to Radiant Capital contracts.
🚨 @RDNTCapital has been exploited for $58M so far!
— QuillAudits | Road to Devcon 🛬 (@quillaudits_ai) October 17, 2024
Contracts on both Arbitrum & BSC are affected.
The attacker gained control of 3 out of 11 signers; just enough to carry out the hack. pic.twitter.com/AnxU4uR0Ot
According to QuillAudits, "the attacker gained control of 3 out of 11 signers; just enough to carry out the hack." The exploiter then transferred ownership of the contract before draining user funds. The auditing firm also published a list of contracts that were "in danger" early Thursday.
Radiant has a multisignature wallet, or "multisig" in crypto terms, that controls the protocol. Basically, the attacker is said to have gained access to the private keys of some signers to control some of the protocol's smart contracts across the affected chains.
Blockchain analytics firm Lookonchain said the hacker specifically took some $33.6 million in various digital assets from Arbitrum and around $19.4 million from the BNB Chain. Assets stolen from Arbitrum were swapped to Ethereum (ETH), while those drained from the BNB Chain were swapped to BNB tokens.
Radiant Capital(@RDNTCapital) hacked for $53M on #Arbitrum and #BSC 8 hours ago!
— Lookonchain (@lookonchain) October 17, 2024
The hacker swapped the stolen assets for 12,835 $ETH($33.6M) and 32,113 $BNB($19.4M).
Please revoke access to the following contracts on https://t.co/inHmYxIkPw.… pic.twitter.com/CTWhjOXagZ
Web3 cybersecurity firm De.Fi Antivirus said $58 million has been swiped so far.
Radiant Capital has since confirmed the exploit, saying it was "working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible." It paused markets on Base and Mainnet until further notice.
We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum. We are working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible. Markets on Base and Mainnet are paused until further notice.
— Radiant Capital (@RDNTCapital) October 16, 2024
Crypto Community Shocked by Latest Hack
Many crypto users have expressed frustration over the incident, including some key figures in the industry, who are raising concerns about the seemingly weak measures Radiant purportedly took to protect its multisig.
Pop Punk, the co-founder of token launch security platform G8keep, pointed out how Radiant "just had their protocol stolen from them like a school bully steals lunch money." He pointed out that requiring only three signatures of 11 to execute transactions was "uncomfortably low for a protocol of this size."
Radiant Capital just had their protocol stolen from them like a school bully steals lunch money.
— Pop Punk (@PopPunkOnChain) October 16, 2024
Multisig was compromised and ownership was transferred.
Revoke all approvals. Tens of millions of dollars in losses so far. pic.twitter.com/vu5dIO2AH6
Prominent analyst Adam Cochran found it "insane" that Radiant didn't implement a set of permissions and opted for a low signature requirement. "How the f**k did a hacker get 3 multisig keys for one protocol?" he said.
Let’s set aside 3/11 being insane for general control and not some limited set of permissions — how the fuck did a hacker get 3 multisig keys for one protocol?!
— Adam Cochran (adamscochran.eth) (@adamscochran) October 16, 2024
That’s insane.
One user raised an issue that many crypto and blockchain skeptics have been pointing to in the past – that the industry can't be taken seriously if security incidents keep coming. Another user said he can't imagine himself building or using a protocol "that's built on just a multisig."
Crypto investment platform Exponential, which has a "Risk Ratings" feature, revealed that it previously rated Radiant with a "Watch Out," citing the protocol's weak multisig protections that "makes the protocol more susceptible to centralization risks."
