DeFi protocol Radiant Capital loses $48 million in second exploit this year
Hackers managed to gain control of the platform's Pool Provider contract, transferring ownership to a malicious contract.
Multichain money market Radiant Capital has been exploited for at least $48 million in what is suspected to be an access control breach, according to early reports by security firm Hacken.
The DeFi protocol’s native token RDNT crashed 7% following the news and is still down a little over 5% over the last 24 hours, trading at $0.067 as of press time.
The attack appears to have involved the compromise of Radiant Capital’s MultiSig wallet, a security feature typically used to enhance protection by requiring multiple approvals for transactions.
Hackers managed to gain control of the platform’s Pool Provider contract, transferring ownership to a malicious contract. This breach allowed the attacker to withdraw large amounts of assets from the platform’s liquidity pools on Binance Smart Chain (BSC) and Arbitrum.
As a result, tokens in lending pools created on both chains were drained, and the exploiter fled with tokens such as Wrapped Ether (WETH), Wrapped Bitcoin (WBTC), Arbitrum (ARB), USD Coin (USDC), and Tether USD (USDT).
Hacken advised users to immediately revoke any approvals they had granted to Radiant Capital to prevent further unauthorized access to their funds.
Hacken also reported that the malicious contract used in the attack was deployed 14 days ago, suggesting that the exploiter planned this heist for over two weeks. This incident was the hacker’s second attempt after failing on the first try on Oct. 10.
The attacker even tried to execute the attack on Oct. 10, but the attempt failed. The blockchain security firm users to revoke approvals for Radiant Capital to prevent potential unauthorized access to their assets.
Tony Ke, security engineering lead at FuzzLand, recommended users also revoke approvals on Ethereum and Base, although it was not confirmed that Radiant was compromised on these chains.
Notably, the drained amount is over half the $75.5 million in total value locked (TVL) that Radiant Capital registers, according to DefiLlama data.
Low signer threshold
Mudit Gupta, CISO at Polygon Labs, called the exploit a “key management failure.” This is because Radiant Capital used a multi-signature wallet with 11 authorized signers, but demanded only 3 signatures to approve changes to its contracts.
An X user identified as 0xBoboShanti also questioned the low signer threshold, which is less than 30% of the total.
This is the second exploit suffered by Radiant in 2024 after an attacker used a flash loan-based exploit to drain $4.5 million from the protocol in January.
Radiant lost up to 37% of its TVL three weeks after the flash loan exploit. Although it managed to recover most of it by March, the amount of funds locked in the protocol dwindled in consecutive months, resulting in Radiant losing 75% of its TVL year-to-date.