Radiant Capital $58M hack an expensive ‘lesson’ for DeFi

Radiant Capital said it transferred ownership into a timelock contract, which enforces a 72-hour waiting period for adjustments.
Radiant Capital said it transferred ownership into a timelock contract, which enforces a 72-hour waiting period for adjustments.

Radiant Capital resumed its Ethereum lending markets after a hack that cost about $58 million in digital assets. 

On Nov. 1, the lending protocol said it had implemented improvements including transferring ownership into a timelock contract. The Radiant Capital team said this enforces a mandatory 72-hour waiting period for any adjustments, fortifying Radiant’s security. 

The team also implemented an emergency admin role using a multisignature structure. The role is tasked with pausing and unpausing the lending protocol’s markets as necessary. 

In addition, its decentralized autonomous organization (DAO) changed its multisignature security, reducing the number of required signers to seven with a four-out-of-seven signing threshold. 

Multisignature wallets enhance security by requiring multiple signatures to execute or process crypto transactions. This eliminates the risk of a single point of failure associated with having only one private key. 

An expensive “lesson” for DeFi

The security enhancements follow an exploit that led to $58 million in digital asset losses. On Oct. 16, Radiant Capital halted its lending markets after a cybersecurity breach on BNB Chain and Arbitrum. 

An attacker gained control of several signers’ private keys and smart contracts. This allowed the hackers to drain over $50 million in assets from the protocol. 

On Oct. 18, Radiant Capital confirmed in a post-mortem that the attackers compromised the devices of at least three of its core developers by injecting malware. 

Radiant Capital said that the devices were compromised in a way where the front-end of their wallets displayed legitimate transaction data while malicious transactions were signed and executed in the background. 

In an X post, security professional Patrick Collins described the incident as a “$50 million lesson” that the decentralized finance (DeFi) space needs to remember. Collins said an educational or tooling gap exists in verifying transactions using hardware wallets. 

Source: Patrick Collins

Meanwhile, the Radiant Capital hacker has already moved about $52 million of the stolen funds from the incident. On Oct. 24, blockchain security firm PeckShield said that the exploiter had already moved “nearly all” of the stolen funds. 

Related: Crypto security firm mistakenly shares drainer link to ‘help’ Radiant hack victims

Wallet signing issues in crypto

Phishing incidents in crypto have already led to millions in digital assets lost. On Aug. 21, a crypto phishing attack drained $55 million in stablecoins after a whale mistakenly signed a transaction that transferred the ownership of funds to attackers. 

Because of such incidents, hardware wallet Ledger said there’s a need to promote clear signing in the crypto space. Ledger CEO Pascal Gauthier previously told Cointelegraph in an interview that the industry should move away from blind signing and that they had partnered with several entities to educate the community with a clear signing initiative. 

Magazine: Most DePIN projects barely even use blockchain: True or false?