Radiant Capital, a decentralized lending protocol, has suffered a new hack, costing them over $50 million. According to security experts and blockchain data, this incident is the result of a sophisticated attack in which the attackers took control of the platform’s smart contracts.
Fraudulent Access to Private Keys
According to web3 security company Ancilia, the attackers managed to obtain three of the eleven private keys needed to modify Radiant Capital’s smart contracts. These keys are managed by a multi-signature wallet, which means a specific majority of signers is required to make changes within the protocol. However, three private keys were enough for the hackers to exploit a critical vulnerability.
The attack affected the Binance Smart Chain (BSC) and Arbitrum blockchains, where Radiant Capital‘s contracts were manipulated using the transferFrom function, allowing the hackers to drain users’ funds, including $USDC, $WBNB, and $ETH.
The Second Attack Against Radiant
This is not the first time Radiant Capital has faced such an attack. In January of this year, the platform already lost $4.5 million due to a flaw in its smart contracts. This new, much more devastating attack raises concerns about the security of DeFi protocols and the management of private keys in a decentralized ecosystem.
How Did the Attack Happen?
The mystery remains as to how the private keys were compromised. Speculations have emerged from a security group on Telegram, suggesting that a compromised front-end could have tricked legitimate key holders into interacting with a protocol infected with malware. Radiant Capital has not provided specific details on this matter, only admitting the exploit on its official X account and recommending users to revoke access to their capital.
Radiant Capital’s Reaction to the $50 Million Hack
In an initial response, Radiant stated that they are aware of the issue affecting their lending markets on Binance Chain and Arbitrum. The company is currently working with several security partners, including SEAL911, Hypernative, ZeroShadow, and Chainalysis, to understand and mitigate the consequences of the attack. In the meantime, the markets on Base and the Mainnet have been suspended.
Radiant Capital, controlled by a decentralized autonomous organization (DAO), has set out to “bring together the billions of fragmented liquidity across web3 money markets into a secure, user-friendly, and capital-efficient omnichain platform.” However, these recent security flaws highlight the challenge of maintaining such a secure environment.