Radiant Capital, a decentralized lending protocol, has suffered a massive cyberattack, losing more than $50 million in digital assets. This incident marks the second significant exploit the platform has faced this year, further raising concerns about the security of decentralized finance (DeFi) platforms.
The Incident Unfolds
The attack was first reported on Wednesday by blockchain security firm Ancilia Inc., which flagged suspicious activity involving Radiant Capital's smart contracts on BNB Chain. Initial reports showed approximately $16 million being drained from the platform on BNB. Shortly after, assets were also siphoned from Radiant's liquidity pools on Arbitrum. Another security firm, Hacken, later confirmed that the total stolen assets, including USDT, USDC, and ARB, amounted to nearly $50 million. Radiant Capital acknowledged the issue on X (formerly Twitter), stating, "We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum," and assured users they were working with blockchain security teams SEAL911, Hypernative, ZeroShadow, and Chainalysis to investigate the breach.
How the Attack Happened
According to Web3 security firm De.Fi, the attackers managed to exploit Radiant's smart contracts through the 'transferFrom' function, allowing them to drain user funds. Radiant operates using a multi-signature (multisig) wallet system, requiring 11 signers to authorize any protocol upgrades. The attackers somehow obtained three of these private keys, which gave them enough control to modify the smart contracts and carry out the attack. While the exact method by which the private keys were compromised remains unclear, some experts in the Ethereum security community have speculated that it may have resulted from a front-end attack. This type of exploit could have deceived legitimate key-holders into interacting with a malicious interface, thereby granting the attacker access to the protocol. Radiant’s response included pausing its markets on Ethereum and the layer-2 network Base while urging users to revoke their smart contract permissions as a safety measure. The platform also directed users to the Revoke.Cash service to check if they were at risk.
Not the First Incident
This latest exploit isn't the first time Radiant Capital has been targeted. Earlier in January, the protocol lost $4.5 million in a separate flash loan-based attack on Arbitrum due to a bug in its smart contracts. The recurrent breaches underline the vulnerabilities in DeFi systems, where even protocols designed to be capital-efficient and secure are regularly targeted by sophisticated hackers.
The $50 million exploit on Radiant Capital has rattled the DeFi community once again, raising serious concerns about the security of blockchain protocols and the safeguarding of user funds. With two major hacks in less than a year, Radiant faces an uphill battle to restore trust. The incident serves as a reminder of the critical need for constant vigilance and improved security mechanisms in the rapidly evolving world of decentralized finance. The investigation is ongoing, and users are advised to stay alert and take appropriate measures to protect their assets.