In October 2024, Radiant Capital suffered its second significant security breach of the year, highlighting the vulnerabilities in even well-established protocols. Earlier in the year, the DeFi platform experienced a $4.5 million flash loan attack. However, this latest incident, which resulted in an estimated $53 million in losses from user wallets, underscores the evolving and sophisticated tactics employed by attackers.

Inside the Attack

At the core of the Radiant Capital hack was the exploitation of its multi-signature (multi-sig) transaction approval process. Radiant Capital had implemented a 3-of-11 multi-sig scheme, requiring three private keys from a pool of eleven potential signers to authorize critical transactions. While designed to enhance security, this configuration inadvertently created a broader attack surface for malicious actors.

The attack unfolded as follows:

1. Exploitation of Signers: The attacker utilized malware to compromise the devices of multiple signers. This malware manipulated the Gnosis Safe wallet frontend, displaying legitimate transaction data while generating malicious transactions for signature and execution. The malware’s ability to remain undetected was aided by the occasional transaction failures expected during normal operations.

2. Blind Signing and Transaction Simulation: Transactions were simulated on Tenderly, and the results were reviewed before execution. However, the practice of blind signing — where signers approve transactions without independently verifying their integrity — meant the malicious payloads went unnoticed during the review process.

3. Takeover of the Pool Provider Contract: Using corrupted transactions, the attacker transferred control of the protocol’s Pool Provider contract to a malicious contract. This contract managed Radiant Capital’s lending pools, granting the attacker substantial control over user funds.

4. Deployment of Malicious Contracts Across Chains: The attacker deployed malicious contracts on four chains: BSC, ARB, BASE, and ETH. The attacks were executed on BSC and ARB, enabling the attacker to siphon approximately $53 million.

Key Vulnerabilities

The attack exploited several vulnerabilities within Radiant Capital’s security framework:

• Low Multi-Sig Threshold: While a 3-of-11 multi-sig scheme may appear robust, it allowed the attacker to compromise only three devices out of eleven to achieve their goal. This relatively low threshold significantly reduced the effort required for a successful breach.

• Large Pool of Signers: The inclusion of eleven potential signers increased the attack surface, providing the attacker with multiple targets to compromise.

• Reliance on Blind Signing: Blind signing allowed malicious transactions to be executed without rigorous validation. This practice proved to be a critical vulnerability in the protocol’s transaction approval process.

Lessons Learned

The Radiant Capital hack underscores the importance of robust security measures, particularly for high-value protocols operating in the DeFi space. Key takeaways from this incident include:

Enhance Multi-Sig Security:

• Increase the threshold for transaction approval to make breaches more difficult.

• Reduce the number of potential signers to minimize the attack surface.

Strengthen Device Security:

• Implement stringent endpoint protection to guard against malware infections.

• Regularly audit the devices of signers for signs of compromise.

Adopt Rigorous Validation Processes:

• Avoid blind signing by requiring signers to independently verify transaction details.

• Use secure hardware wallets that can display detailed transaction data for signer review.

Implement Advanced Monitoring:

• Continuously monitor transaction patterns for anomalies.

• Utilize advanced threat detection tools to identify and mitigate potential attacks early.

Foster a Culture of Security:

• Provide training for developers and signers on recognizing and mitigating sophisticated attack vectors.

• Encourage a proactive approach to security, including regular penetration testing and simulated attack drills.

Looking Ahead

While Radiant Capital’s security measures adhered to many industries best practices, the attack highlights the need for continuous improvement in the face of evolving threats. This incident serves as a cautionary tale for other projects in the DeFi ecosystem, emphasizing that even robust defenses can have exploitable gaps.

By learning from incidents like the Radiant Capital hack, the DeFi community can collectively strengthen its defenses, ensuring a safer and more resilient ecosystem for all participants.