Blockchain lending protocol Radiant Capital lost more than $50 million Wednesday as a result of an apparent cyber attack, according to security experts and blockchain data.
Security experts say the attackers took control of Radiant Capital’s blockchain contracts by obtaining three of the “private keys” that control the protocol.
“The Radiant Capital contract was exploited on the BSC and ARB chains using the ‘transferFrom’ function,” Web3 security firm De.Fi explained in X. This exploit allowed the attackers to “exfiltrate user funds, including $USDC $WBNB $ETH,” the company said.
De.Fi said in another X post that Radiant is controlled by a multi-signature, or “multisig” wallet with 11 signatories. The attackers appear to have been able to obtain three of these signers’ “private keys,” which was enough to upgrade the platform’s smart contracts.
The Radiant platform includes a set of tools that allow users to borrow, lend, and bridge cryptocurrencies across blockchains.
This is the second time this year that this protocol has been targeted by an exploit. In January, Radiant lost $4.5 million in an unrelated hack stemming from a bug in its smart contracts.
It was unclear at press time how the private keys were compromised in Wednesday’s attack. Some members of the messaging app Telegram’s Ethereum security group have speculated that the attack may have stemmed from a compromised front end. This means that the owner of a legitimate Radiant keychain may have accidentally interacted with the malware-laden protocol.
Radiant acknowledged the exploit in a post on its official X account, but did not provide specific details.
“We recognize that there are issues with the Radiant Lending market on Binance Chain and Arbitrum,” Radiant said. “We are working with SEAL911, Hypernative, ZeroShadow, and Chainaracy and will provide updates as soon as possible. Base and Mainnet markets are suspended until further notice.”
Managed by a Decentralized Autonomous Community (DAO), Radiant states on its website that its mission is to “develop fragmented numbers across Web3 financial markets under one secure, user-friendly, and capital-efficient omnichain. billion in liquidity.”
This is a developing story. Radiant Capital did not respond to a request for comment.
Updated (20:45 UTC, October 16, 2024): Adds background information about Radiant and another hack in January 2024.
