Radiant Capital released a post-mortem analysis of the $50M attack

Radiant Capital has released a detailed analysis of the October 16 exploit that resulted in the loss of more than $50 million in user funds.

As explained in the postmortem, the attacker used highly advanced malware to poison transactions, allowing them to steal funds through the usual multi-signature process.

Common mistakes are used as an attack method

It all started when the hacker compromised the hard wallets of the three main developers of the protocol and injected them with malware that pretended to be legitimate transactions. While the developers signed what they believed to be a standard release fix, the malware executed unauthorized transactions in the background.

Radiant Capital reiterated that its contributors followed standard operating procedures to the letter in the disposition process. They simulated each transaction for accuracy on Tenderly's stacked Web3 infrastructure platform, and subjected them to individual evaluations at each signature stage.

Despite these multiple layers of verification, front-end checks showed no visible signs of malware entering the protocol's systems.

What stood out in the company's review was how the attacker used common marketing failures to carry out the hack. Wallets, often caused by fluctuating gas prices or network congestion, used it as a cover to collect private keys, all while maintaining a sense of normality.

The criminal then took control of some smart contracts and eventually made off with millions of dollars including USDC, wrapped BNB (wBNB) and Ethereum (ETH).

The actual amount stolen varies between $50 million and $58 million, depending on the source of the report. However, the decentralized finance (DeFi) platform revealed the lowest figure in the account of the event.

FBI tapped to help recover stolen funds

In the report, the chain lender said it is working closely with US law enforcement, including the FBI, as well as cyber security firms SEAL911 and ZeroShadow to track down the stolen crypto.

Additionally, as a precaution, users are advised to cancel approvals on all chains, including Arbitrum, BSC and Base. This move is in response to the exploiter capitalizing on open approvals to withdraw funds from accounts.

Radiant Capital has created new cold wallets and adjusted signing limits to improve the security of the platform. Similarly, a mandatory 72-hour delay has been introduced for all contract amendments and title transfers. This is to allow enough time for the community to check transactions before the final execution takes place.

However, given the level of sophistication in the breach, the organization acknowledged that even these measures could not have prevented the attack.

DeFi exploits are growing at an alarming rate, and two recent studies paint a fascinating picture. According to PeckShield, there were more than 20 hacks in September, which caused more than 120 million dollars in losses.

Additionally, in the third quarter of 2024, more than $440 million was stolen from the crypto platform, according to Hacken, another blockchain security firm.