Radiant Capital Hacked for Over $50 Million

The lending protocol Radiant Capital was breached on the BNB Chain and Arbitrum networks. The team urged users to revoke permissions for affected contracts using the Revoke service.

Please revoke access to the following contracts on https://t.co/JqPsJBBfNS.

0xF4B1486DD74D07706052A33d31d7c0AAFD0659E1
0x30798cFe2CCa822321ceed7e6085e633aAbC492F
0xd50Cf00b6e600Dd036Ba8eF475677d816d6c4281
0xA950974f64aA33f27F6C5e017eEE93BF7588ED07 https://t.co/x4l7J8UVeT

— Radiant Capital (@RDNTCapital) October 16, 2024

Total losses exceeded $50 million, according to data from Ancilia.

4/ thanks for the update from replies. Seems like Arbitrum contract was hacked, too:https://t.co/E7kLLavJ7C
The total lost is > $50M now.

— Ancilia, Inc. (@AnciliaInc) October 16, 2024

“We noticed several transfers from user accounts using transferFrom via contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke permissions as soon as possible. It seems the new implementation had vulnerable functions,” noted Ancilia experts.

The transferFrom exploit uses a smart contract function to allow one account to send a specified amount of tokens from the victim’s account to a third wallet. Typically, this requires the attacked party to grant permission to interact with a fake address.

According to Ancilia, the backdoor contract was deployed around 20:09 Kyiv/Moscow time on October 16. 

You Were Supposed to Fight Evil

Ancilia inadvertently shared a tool for stealing funds from cryptocurrency wallets in an attempt to assist users. 

In a now-deleted tweet, the company posted a fraudulent link from a fake Radiant account, as noted by a user with the nickname Spreek.

For fuck’s sake, if you are a ‘trusted’ security account, you need to absolutely make sure to never do this pic.twitter.com/2jrpN7P00L

— Spreek (@spreekaway) October 16, 2024

Ancilia asked users to revoke permissions by “following the link from the official message.” In reality, it led to a tool for stealing funds.

3 Out of 11 Signatures Compromised

Cybersecurity firm De.Fi reported losses amounting to over $58 million.

?~$58,000,000 Exploit Alert?

Radiant Capital contracts were exploited on BSC & ARB chains with the ‘transferFrom’ function, which allowed to drain users’ funds, namely $USDC $WBNB $ETH and others

⚠️Revoke approvals ASAP?
0xd50cf00b6e600dd036ba8ef475677d816d6c4281 pic.twitter.com/oUHyshwEmL

— De.Fi Antivirus Web3 ?️ (@De_FiSecurity) October 16, 2024

Radiant is controlled by a multi-signature wallet with 11 signatories. The perpetrator apparently managed to obtain the private keys of three of them. This was sufficient to update the platform’s smart contracts, De.Fi highlighted.

Unfortunately, yes.

However, this time, the nature of the hack is different — as in the first time, it was hacked via the flash loan; and now due to the fact that the hacker managed to get access to 3 signers — thus managed to transfer ownership and upgrade the contracts

— De.Fi Antivirus Web3 ?️ (@De_FiSecurity) October 16, 2024

Binance Support

In July 2023, the venture arm of the largest cryptocurrency exchange Binance invested $10 million in Radiant. The project was also launched on Binance Launchpool.

Reports of the platform’s breach led to a decline in the RDNT token price — it lost 10% in the past day.

Radiant is a cross-chain protocol offering the ability to borrow and lend cryptocurrency. In January, it lost $4.5 million in an attack. 

As reported in the third quarter of 2024, losses in the crypto industry due to 155 cases of hacks, exploits, and fraud amounted to $753 million.