In October 2024, Radiant Capital, a major player in DeFi lending, faced its second major security breach of the year, resulting in losses exceeding $53 million. This hack, which targeted Radiant’s multi-signature wallets, highlights significant vulnerabilities in DeFi security and emphasizes the critical need for multi-layered defenses and rigorous contract auditing.

This article will explore the details of the Radiant hack, the mechanisms behind the attack, and the urgent security lessons for DeFi protocols.

What Happened: Exploit Breakdown

Radiant Capital is a DeFi protocol that specializes in cross-chain lending and liquidity services. Built on Layer 2 networks like Arbitrum, and operating on multiple blockchain ecosystems, Radiant allows users to lend and borrow assets across different chains (such as Ethereum, Binance Smart Chain, and Arbitrum) seamlessly. It aims to create a more integrated DeFi experience by letting users deposit assets on one blockchain and borrow on another, solving a common problem in DeFi where liquidity is often isolated to individual chains.

On October 17 malicious actors successfully executed a hack targeting the protocol’s multi-signature (multi-sig) wallet, a security mechanism typically requiring multiple approvals to authorize transactions.

Their multisig setup had eleven possible signers but required only three to authorize a transaction. This “3-of-11” configuration became an exploitable vulnerability when attackers compromised the private keys of three signers through sophisticated malware, effectively gaining control of the wallet. With access to the wallet, the attackers manipulated Radiant’s core contracts and drained user funds from the protocol’s lending pools on the Binance Smart Chain (BSC) and Arbitrum​​​.

Inside the Attack Step-by-Step

1. Compromising Private Keys via Malware

The attackers deployed advanced malware to compromise the hardware wallets of Radiant’s developers. The malware simulated legitimate transaction data in the Safe{Wallet} interface, tricking developers into signing fraudulent transactions. This "blind signing" process was undetectable through standard checks on Tenderly and Safe, as both platforms showed no anomalies during manual verification. The attackers exploited routine error messages in the wallet interface to gather signatures over multiple attempts, making the attack appear as normal operational issues.

2. Contract Ownership Transfer

With control over the compromised signers, the attackers executed a “transferOwnership” function on Radiant’s Pool Provider contract, the main contract governing the protocol’s lending pools. By transferring ownership, they replaced Radiant’s control with a malicious contract, effectively taking over protocol operations and bypassing standard security measures.

3. Upgrading Contracts to Malicious Versions

The attackers upgraded Radiant’s lending pool contracts to malicious versions across chains. These contracts manipulated key functions, such as "transferFrom," allowing attackers to drain funds from users who had previously approved contract interactions. This unauthorized upgrade provided the attackers with unrestricted access to user funds across BSC and Arbitrum, leading to estimated losses of $53 million.

4. Fund Extraction and Obfuscation

The attackers laundered the stolen funds by converting them through DEXs like PancakeSwap and 1inch, converting assets into ETH and BNB to obscure their origin. The planned attack timeline, evidenced by malicious contracts deployed weeks in advance, suggests a high level of sophistication and preparation​.

Consequences of the Attack

While this attack results from experienced malicious actors they often impact the protocols reputations and user trust. As a result, Radiant Capital:

1. Paused its markets on Base and Ethereum, advising users to revoke permissions to its smart contracts.
2. Collaborated with law enforcement and security firms, including ZeroShadow and Chainalysis, to trace and recover stolen assets.
3. Overhauled its multi-sig configuration, reducing the number of signers to seven and increasing the threshold to four, thereby requiring stronger consensus for transaction approval.

Radiant also implemented an extensive re-evaluation of its internal processes and conducted thorough audits to prevent similar incidents in the future​.

What Went Wrong? Analyzing the Key Vulnerabilities

Radiant’s multi-sig setup was both a strength and a weakness. Multi-signature (multi-sig) wallets are often recommended for their added security, as they require multiple approvals to execute transactions, which reduces the risk of a single compromised key leading to a full breach. However, the Radiant hack illustrates a known vulnerability in multi-sig systems: if the signature threshold is set too low relative to the total number of signers, the security of the protocol can be compromised.

In Radiant’s case, the “3-of-11” configuration required only three signatures out of eleven possible signers, making it easier for attackers to gain control by targeting a small subset of private keys. This low threshold allowed the attackers to bypass the intended security of the multi-sig setup, highlighting a broader issue with multi-sig wallets in DeFi: they offer robust protection only when carefully configured. 

In fact, research and recent incidents across the DeFi industry have shown that misconfigured multi-sig setups with low thresholds create critical vulnerabilities that can be exploited by attackers. Radiant’s hack reinforces the importance of setting higher thresholds that require a majority or supermajority of signers, which reduces the likelihood of a successful attack.

1. Malware and Device-Level Exploits

The success of this hack underscores the danger of compromised hardware, even in a multi-sig setup. The attacker’s use of malware to bypass device-level checks, simulating legitimate transaction data, demonstrates that even hardware wallets can be vulnerable without strict device isolation and monitoring.

2. Inadequate Signature Threshold

While setting a lower signature threshold can make operations faster and reduce the logistical overhead of gathering multiple approvals, it also weakens security. Low thresholds increase the risk of compromise because attackers only need to target a small subset of signers to gain control.

Although multi-sig wallets are designed to reduce single points of failure, low thresholds increase the probability of compromise when any subset of signers is attacked. Radiant’s reconfiguration to a “4-of-7” multi-sig setup is a step toward reducing this risk​​.

‍Read Next: The PenPie Hack. Understanding the September 2024 Reentrancy Exploit and the Role of Auditing in DeFi Security

Lessons Learned and Security Improvements

The Radiant Capital hack serves as a wake-up call, not only for Radiant but for the entire DeFi industry. This breach highlighted that even established security practices, like multi-signature wallets, can become weaknesses if not carefully configured and continuously monitored. In response, Radiant Capital has implemented several key security improvements, and these measures provide a roadmap for other protocols looking to strengthen their defenses against increasingly sophisticated attacks.

1. Implementing Higher Multi-Sig Thresholds and Role Segmentation

Moving to a higher multi-sig threshold is essential for protocols like Radiant. However, role segmentation—assigning specific access permissions based on role—is another layer that could reduce the risk of unauthorized access. Segregating high-privilege roles from routine transaction signers can minimize vulnerability.

2. Timelock Contracts for High-Impact Functions

To prevent rapid unauthorized changes, Radiant has introduced 72-hour timelock contracts on upgrades and ownership transfers. This delay allows both developers and the community to verify any proposed changes and take action if discrepancies are found​​.

3. Real-Time Monitoring and Audits

Real-time monitoring, which can detect anomalies in transaction patterns, combined with frequent, in-depth audits, could have alerted Radiant to unusual activity sooner. This includes applying solutions like CUBE3.AI, which identified the PenPie exploit within 32 seconds, allowing for faster mitigation. Integrating such tools into the DeFi ecosystem could reduce the attack window and minimize losses​.

‍

More on DeFi Security: DeFi Exchange Audit. Why It's Important

Conclusion: Redefining DeFi Security Standards

Radiant Capital’s experience serves as a stark reminder of the persistent challenges faced in DeFi’s security. While decentralization offers remarkable flexibility and opportunity, it also demands sophisticated, layered security strategies. For the broader DeFi community, Radiant’s hack emphasizes the importance of not just multi-sig wallets but also careful attention to multi-sig configurations, timelocks, and rigorous audits.

Only by continuously adapting to emerging threats, integrating best practices from both DeFi and traditional finance, and maintaining an uncompromising stance on security, can DeFi protocols protect their users and safeguard the potential of decentralized finance.

Protecting your Web3 project is essential for growth and user trust. Start by using our free Smart Contract Security Checklist Tool to identify any potential vulnerabilities. Or, book a free 30 min. consultation with us to explore advanced protection options tailored to your project.