Security

Radiant Capital Multi-Signature Compromise Drains $58 Million

A sophisticated supply chain attack compromised Radiant Capital's multi-signature governance, enabling unauthorized contract upgrades and draining millions in user assets.
September 29, 20253 min

A sleek, metallic cylindrical structure with segmented panels is prominently displayed, revealing a vibrant blue energy core and a central burst of light particles. White, cloud-like formations interweave with the polished metal, suggesting a complex interplay of elements
A complex, star-shaped metallic mechanism, featuring four radial arms with circular terminals, sits at the center of a luminous blue, segmented ring. Delicate, web-like frosty structures cling to the metallic components and translucent blue elements, suggesting an advanced state or intricate interconnections within a sophisticated system

Briefing

The Radiant Capital DeFi lending protocol suffered a significant security breach in October 2024, resulting in an estimated loss of $50 million to $58 million across its Arbitrum and BNB Chain deployments. The incident stemmed from a sophisticated supply chain attack that compromised the protocol’s 3-of-11 multi-signature governance scheme. Attackers leveraged malware to trick signers into approving malicious transactions, ultimately gaining control over critical Pool Provider contracts and enabling unauthorized fund drainage. This event highlights the critical vulnerabilities inherent in complex multi-signature setups and the persistent threat of advanced persistent threat (APT) groups targeting high-value DeFi protocols.

The image displays a futuristic, angled device featuring a translucent blue lower casing that reveals intricate internal mechanisms, complemented by a sleek silver metallic top panel and a dark, reflective screen. Prominent silver buttons and a circular dial are integrated into its design, emphasizing interactive control and robust construction

Context

Prior to this incident, the DeFi ecosystem had already faced numerous exploits, including flash loan attacks and oracle manipulations, underscoring the inherent risks in smart contract interactions and governance mechanisms. Radiant Capital itself experienced an earlier flash loan attack in January 2024 due to rounding issues. The prevailing attack surface for many protocols included vulnerabilities in off-chain operational security, such as developer machine compromise or phishing, which could lead to the subversion of on-chain controls like multi-signature schemes. The reliance on human signers within multi-sig frameworks introduced a critical human element vulnerability.

A sleek, rectangular device, crafted from polished silver-toned metal and dark accents, features a transparent upper surface revealing an intricate internal mechanism glowing with electric blue light. Visible gears and precise components suggest advanced engineering within this high-tech enclosure

Analysis

The attack’s technical mechanics involved a multi-stage supply chain compromise. A Radiant developer received a malicious ZIP file, disguised as a legitimate smart contract auditing report, from a spoofed former contractor. This file delivered sophisticated INLETDRIFT malware, establishing a persistent macOS backdoor. The attackers then used this access to manipulate the Gnosis Safe wallet frontend, displaying legitimate transaction data to signers while simultaneously pushing malicious transactions to their hardware wallets for blind signing.

With compromised signatures, the attacker gained control of the Pool Provider contract, which manages lending pools, and subsequently upgraded the pool contracts to malicious versions. These upgraded contracts retained the original permissions, allowing the attacker to drain user funds from wallets that had previously granted approvals.

A metallic, silver-toned electronic component, featuring intricate details and connection points, is partially enveloped by a translucent, vibrant blue, fluid-like substance. The substance forms a protective, organic-looking casing around the component, with light reflecting off its glossy surfaces, highlighting its depth and smooth contours against a soft grey background

Parameters

  • Protocol Targeted → Radiant Capital
  • Attack VectorMulti-signature Compromise via Supply Chain Attack and Malware
  • Financial Impact → $50 Million – $58 Million
  • Affected Blockchains → Arbitrum, BNB Chain
  • Malware Used → INLETDRIFT
  • Attacker Affiliation → Suspected DPRK-aligned threat actor (UNC4736)
  • Recent Fund Movement → $14 Million DAI swapped for ETH, $6.5 Million ETH sent to Tornado Cash

A detailed view captures a gleaming, multi-layered metallic framework housing embedded radiant blue square panels and numerous scattered blue gems. Fine white bubbles intricately cover parts of the structure, creating a dynamic texture against the sharp, reflective surfaces

Outlook

Immediate mitigation for users involves revoking approvals for affected Radiant Capital contracts on Arbitrum and BNB Chain. This incident underscores the urgent need for enhanced supply chain security, robust hardware wallet usage with careful transaction verification (avoiding blind signing), and advanced threat detection for developer environments. Protocols should implement more stringent multi-sig operational procedures, including independent verification of transaction payloads. The event will likely drive new security best practices focusing on comprehensive endpoint security for core team members and a re-evaluation of the human element in decentralized governance.

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Verdict

This sophisticated multi-signature compromise of Radiant Capital serves as a stark reminder that even robust on-chain governance can be subverted by advanced off-chain attack vectors, necessitating a holistic security posture encompassing both code and human elements.

Signal Acquired from → medium.com/radiant-capital

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

capital

Definition ∞ Capital refers to financial resources deployed for investment, operational expenditure, or the facilitation of economic activity within the digital asset sector.

multi-signature compromise

Definition ∞ A multi-signature compromise refers to a security breach where a significant number of private keys required for a multi-signature wallet or contract are illegally obtained.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

human element

Definition ∞ The human element signifies the role of individuals, their decision-making, and behavioral patterns in the context of digital asset systems and markets.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

Tags:

Tags: