Post-mortem reveals stealthy malware injection led to $50m Radiant Capital exploit
Photo by charlesdeluvio / Unsplash

Post-mortem reveals stealthy malware injection led to $50m Radiant Capital exploit

The malware manipulated the front-end interface of Safe{Wallet} (formerly known as Gnosis Safe), displaying legitimate transaction data to the developers while executing malicious transactions in the background

Radiant Capital attackers used malware to hijack developer wallets and swipe over $50 million in assets.

According to Radiant Capital’s post-mortem report, the attack on Oct. 16, 2024, which led to losses upwards of $50 million, was “one of the most sophisticated hacks ever recorded in DeFi.”

The attackers compromised the hardware wallets of at least three Radiant developers through a sophisticated malware injection, though it is believed that more devices may have been targeted.

The malware manipulated the front-end interface of Safe{Wallet} (formerly known as Gnosis Safe), displaying legitimate transaction data to the developers while executing malicious transactions in the background.

The attack was executed during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to changing market conditions. Despite multiple layers of verification through Tenderly simulations and manual reviews, no anomalies were detected during the signing process, the report added.

The attackers took advantage of Safe App transaction resubmissions, a common occurrence due to issues like gas price fluctuations or network congestion. By mimicking these routine errors, the attackers collected multiple compromised signatures unnoticed, eventually signing the “transferOwnership” function, which transferred control of Radiant’s lending pools to the attackers.

The breach affected Binance Smart Chain (BSC) and Arbitrum, with the attackers using these signatures to alter smart contracts, specifically exploiting the transferFrom function as previously reported by Web3 security firm De.Fi. This allowed them to drain assets from users who had granted approval to the lending pools.

Further, the report added that many protocols might be at risk and suggested several preventative measures. These include implementing multi-layer signature verification, using an independent device for verifying transaction data, avoiding blind signing for critical transactions, and setting up error-triggered audits to catch potential issues before signing.

In an Oct. 18 X post, Independent programmer Daniel Von Fange noted that the attackers were still draining any assets being transferred to the compromised wallets and advised users to quickly revoke any approvals they had given to the affected contracts to avoid further losses.

Read More