Biztech

Menu
Crypto News

Radiant Capital Suffers $51 Million Exploit On Arbitrum And BNB Chain

Eleanore O HattaBy 5 Mins Read
Radiant Capital Suffers $51 Million Exploit On Arbitrum And BNB Chain

Key Takeaways:

  • Omnichain money market protocol Radiant Capital was the victim of a hack that saw cybercriminals steal $51 million worth of funds from its lending markets on the Arbitrum and BNB Chain. 
  • Security experts found that the hackers created a fake wallet address and then compromised Radiant’s multi-sig setup, which requires just 3 out of the 11 signatures, to get unauthorized access to user accounts. 
  • They then used the TransferFrom function to move funds from the target account to a third account, through a second account. The hacker transferred wrapped BNB, ETH, USDT, and USDC worth $51 million to a single wallet. 
  • This is the second time this year that Radiant Capital has suffered a breach in its systems. In January, a hacker conducted a $4.5 million flash loan attack on the platform’s newly created USDC market on Compound and Aave. 

Decentralized borrowing and lending platform Radiant Capital seemingly suffered an exploit on Wednesday that has resulted in significant losses for the protocol. According to evidence provided by the Web3 security firm Ancilia, the attack began on October 15 on the company’s lending markets on the Ethereum Layer 2 network Arbitrum (ARB) and then spread to the Binance Chain (BNB).

Hackers Conduct TransferFrom Attack On DeFi Money Market Radiant To Steal $51 in Crypto

The security expert discovered that the hacker used a TransferFrom function, which exploits a smart contract’s ability to enable one wallet address to send a specified number of cryptocurrencies from a target address to a third account. The feature generally requires the victim’s account to grant permission to interact with a fake wallet address. 

Ancilia took to X immediately after identifying suspicious activity on Radiant, advising users to “revoke” their approval permissions for any contracts related to the platform to protect their funds. 

Tony Ke, security research lead at Fuzzland, noted that Radiant has fallen victim to a TransferFrom function hack across its Arbitrum and BNB chains, causing $51 million in losses so far. He explained that the hacker created a backdoor contract at approximately 17:09 UTC on Wednesday, which gave them unauthorized access to user accounts on Radiant and began transferring tokens. 

Ke speculates that the hack could have stemmed from an internal issue that must have compromised Radiant’s multi-sig setup for their smart contract controls, which only requires 3 out of 11 necessary signatures. He stated that the attack profile suggests that either someone was phished, or there was a compromised computer, or an insider leaked Radiant’s private keys. 

Unfortunately, the hacker was able to gain control of the minimum required signers and change the ownership of the wallet needed for the theft. 

$51M in ETH, BNB, USDC, and USDT Taken From Radiant Markets on Arbitrum and BNB Chain

As per Ancilia’s report, the hacker transferred wrapped versions of Binance Coin (BNB), Ether (ETH), USD Coin (USDC), and Tether USD (USDT), among other tokens, from a Radiant-controlled wallet to a single address that began with 0x0629b. That particular wallet is said to currently hold a BNB balance worth $5 million. According to DeBank, the same wallet shows a $51 million balance, a whopping 2,619,512% increase in token holdings since it was first created, indicating that the attack could be far more widespread.  

The hacker’s address holds over $32 million worth of Arbitrum-based tokens and around $18 million in various tokens on BNB Chain. The largest holdings on the account are in Ether derivatives wstETH and weETH. 

Radiant posted an update indicating that its team has sought help from on-chain security firm SEAL911 and Chainalysis to investigate the exploit and recover the stolen assets. The platform has halted its markets on BNB Chain, Arbitrum, and Base networks. 

Experts Raise Concerns About Radiant’s Security Systems Following Second Major Attack In 2024

The crypto community criticized Radiant Capital’s security structure, especially its multi-sig setup, which requires far fewer signers confirming transactions for a protocol that handles large amounts of crypto assets. Experts think that Radiant should have established enhanced security systems to avoid exploitation of such nature. 

This is the second instance this year where Radiant has been exploited. Back in January, the cross-chain lending protocol had to pause lending and borrowing services on its platform after suffering a $4.5 million flash loan attack on one of its newly created USDC markets. 

According to a report by blockchain security firm Beosin, the attacker exploited a rounding issue in the platform’s Compound and Aave codebase, which led to a “cumulative precision error”. This particular error allowed the hacker to profit through repeated deposit and withdrawal operations. 

Cybersecurity firm PeckShield identified the issue to have been caused by a “known rounding error”, which exploits the time window when a new market is activated in a decentralized lending market. 

The hacker managed to move $4.5 million in ETH out of the platform, forcing Radiant to temporarily halt lending and borrowing markets on Arbitrum. 

Read More: Bitcoin And Ethereum Price Charts Disappear From Google Search 

Hailing from the bustling metropolis of Metro Manila, Philippines, Eleanore Hatta is BizTech Africa's trusted crypto news correspondent. With over a decade of experience as a content writer, Eleanore has honed her expertise in the world of cryptocurrency, with a keen focus on issues like the FTX exchange.

Add A Comment
Leave A Reply