<img src="https://crypto.news/app/uploads/2024/03/crypto-news-hacker-option02.webp” />
Radiant Capital attackers used malware to hijack developers' wallets and steal more than $50 million in assets.
According to Radiant Capital's autopsy reportThe October 16, 2024 attack, which caused losses of more than $50 million, was “one of the most sophisticated hacks ever recorded in DeFi.”
The attackers compromised the hardware wallets of at least three Radiant developers through a sophisticated malware injection, although it is believed they may have attacked more devices.
The malware manipulated the interface of Safe{Wallet} (previously known as Gnosis Safe), displaying legitimate transaction data to developers while executing malicious transactions in the background.
The attack was executed during a routine multi-signature emissions adjustment process, which is carried out periodically to adapt to changing market conditions. Despite multiple layers of verification through Tenderly simulations and manual reviews, no anomalies were detected during the signing process, the report added.
Attackers took advantage of Safe App transaction forwarding, which is common due to issues such as gas price fluctuations or network congestion. By imitating these routine errors, the attackers collected multiple compromised signatures without anyone noticing, and eventually signed the “transferOwnership” function, which transferred control of Radiant's loan funds to the attackers.
The breach affected Binance Smart Chain (BSC) and Arbitrum, and the attackers used these signatures to alter smart contracts, specifically exploiting the transferFrom function as above. x.com/De_FiSecurity/status/1846624940440572405″ target=”_blank” rel=”nofollow”>reported by security firm Web3 De.Fi. This allowed them to drain assets from users who had granted approval to the lending pools.
Furthermore, the report added that many protocols could be at risk and suggested several preventive measures. These include implementing multi-layer signature verification, using a standalone device to verify transaction data, avoiding blind signing for critical transactions, and setting up error-triggered audits to detect potential issues before signing.
On October 18th x.com/danielvf/status/1847023798270206310″ target=”_blank” rel=”nofollow”>mailIndependent programmer Daniel Von Fange noted that the attackers were still draining assets transferred to the compromised wallets and advised users to quickly revoke any approvals they had given to the affected contracts to avoid further losses.
Post-hack measures
Radiant Capital has since paused its lending markets on BNB Chain and Arbitrum. In an October 17 x post, Radiant confirmed that it was working with several cybersecurity companies, including SEAL911, Hypernative, and Chainalysis, to investigate the incident and recover the stolen assets.
Immediate preventive measures of the lending protocol include generating new cold wallet addresses using uncompromised devices for each Safe member, reducing the number of signers to 7, and increasing the signature threshold to 4 out of 7. Additionally, contributors will also confirm two times the transaction. data for each transaction using the input data decoder in Etherscan to ensure greater accuracy before signing.
The company is also working with US law enforcement to freeze stolen funds and track down attackers, while collaborating with ZeroShadow to analyze the digital footprint left by exploiters.
