Radiant Capital, a cross-chain lending protocol, was forced to halt its lending markets following a massive cybersecurity breach that resulted in the loss of over $50 million. The exploit occurred on both the Binance Smart Chain (BNB Chain) and Arbitrum networks, impacting several cryptocurrencies. According to statements from Radiant and cybersecurity experts, the attacker exploited the protocol’s vulnerabilities using the ‘transferFrom’ function, draining users’ funds, including USDC, WBNB, and ETH.
The breach was first reported by Web3 cybersecurity firm De.Fi Antivirus, which detailed how the attacker managed to exploit Radiant Capital’s contracts on the BNB Chain and Arbitrum networks. De.Fi estimated the losses at around $58 million, a figure corroborated by another cybersecurity firm, Ancilia Inc., which pegged the losses at approximately $50 million.
“Radiant Capital contracts were exploited on BSC & ARB chains with the ‘transferFrom’ function, which allowed the draining of users’ funds,” De.Fi said in an Oct. 16 post on X.
Radiant Capital quickly acknowledged the situation, issuing an update through its own X account: “We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum.” Radiant also confirmed that they are working with security teams, including SEAL911, Hypernative, ZeroShadow, and Chainalysis, to investigate the exploit and address the breach. All markets on Base and Mainnet have been paused until further notice to prevent further losses.
Multisignature Wallet Compromise
One of the key factors that contributed to the breach was the compromise of Radiant Capital’s multisignature wallet, or “multisig.” Multisigs are widely used in Web3 protocols as a security mechanism, requiring multiple signers to authorize transactions. However, in this case, the attacker reportedly gained access to several private keys of the signers, allowing them to take control of smart contracts within the protocol.
This attack has drawn comparisons to the classic scenario of theft, with Pop Punk, the pseudonymous co-founder of the token launch platform g8keep, humorously describing it as, “Radiant Capital just had their protocol stolen from them like a school bully steals lunch money. Multisig was compromised and ownership was transferred.”
Pop Punk also urged users to revoke all approvals on the platform to prevent additional losses: “Tens of millions of dollars in losses so far.”
A Growing Trend of Multisig Vulnerabilities
Radiant Capital’s exploit is part of a growing trend in crypto hacks where attackers target access control mechanisms, particularly multisig wallets. According to a report by cybersecurity firm Hacken, exploits of these control mechanisms accounted for $316 million, or almost 70% of the total funds stolen in crypto-related hacks during the third quarter of 2024.
Although multisigs are designed to enhance security by decentralizing authority, they can become single points of failure if an attacker successfully compromises enough private keys. The breach at Radiant Capital has reignited the debate on whether multisigs are an effective long-term solution for securing decentralized protocols.
Calls for More Decentralized Security Solutions
In response to the Radiant Capital hack, some experts are calling for a shift away from reliance on multisig wallets. Sreeram Kannan, the founder of restaking protocol EigenLayer, argued that many Web3 projects rely on multisigs, which he believes undermines the decentralized trust that blockchain technology is supposed to provide.
“At the end of the day, users aren’t getting the trust that blockchain is supposed to provide,” Kannan told Cointelegraph. He emphasized the need for more advanced, decentralized security measures to protect users and prevent centralized points of failure, adding, “We need to move beyond that.”
The impact of the breach on Radiant Capital’s users and the platform’s future remains uncertain. As of now, the protocol’s lending services on Base and Mainnet remain paused, and Radiant’s team is working with multiple cybersecurity firms to assess the damage and determine the next steps for recovery.
Radiant will likely need to develop a robust plan to compensate affected users and restore trust in the platform. Depending on the outcome of the investigation, Radiant could introduce enhanced security measures, such as more decentralized governance models, stricter audit protocols, or alternative access control mechanisms to mitigate future risks.
| Date | Event | Details |
|---|---|---|
| Oct. 16, 2024 | Radiant Capital exploit reported | $50–$58 million lost via ‘transferFrom’ function |
| Affected Chains | Binance Smart Chain, Arbitrum | Exploited contracts on both networks |
| Attack Vector | Multisig wallet compromise | Attacker gained control of smart contracts |
| Response | Lending markets paused, investigation ongoing | Collaboration with cybersecurity teams |
Radiant Capital’s $50 million exploit underscores the ongoing challenges the crypto industry faces regarding security and trust. The compromise of its multisig wallet and subsequent attack highlight the vulnerabilities inherent in current Web3 security protocols. While multisigs have been a dominant security feature, their susceptibility to attacks demands a reevaluation of how decentralized platforms secure their funds and users.
As the investigation unfolds, it is crucial for Radiant and the broader crypto community to learn from this breach, adopting stronger and more decentralized security measures to safeguard users’ assets and the future of the industry.
Featured image credit: flatart via Freepik
Follow us for more breaking news on DMR