Radiant Capital was hacked on Wednesday, resulting in losses exceeding $50 million.
Several blockchain security firms have reported that the exploit occurred due to an apparent cyberattack targeting the platform's smart contracts on both the Binance and Arbitrum networks.
Compromised Multisig
The incident was first detected by blockchain security firm Ancilia Inc., which reported suspicious activity on a Radiant Capital smart contract on the BNB Chain at 1:35 PM ET in an X post.
According to Ancilia, several on-chain transactions showed that hackers drained at least $18 million from Radiant on the BNB network. The attack soon spread to its liquidity pools on the Ethereum layer-2 network Arbitrum, where more assets were compromised.
Web3 security firm De.Fi explained that the bad actors gained control by compromising a multisig, which requires the approval of multiple signers to execute transactions. The attacker was able to obtain the private keys of 3 out of the 11 signers that secure Radiant's wallet. This gave them enough access to upgrade the platform's smart contracts and transfer ownership.
Hacken reported that the funds were drained from various trading pools on Radiant, including those holding popular cryptocurrencies such as USDC, USDT, wrapped Bitcoin (wBTC), wrapped Ethereum (wETH), Binance Coin (wBNB), and others.
Spot On Chain disclosed that the protocol was exploited for $53 million in crypto assets. The hacker has since converted the stolen funds into native tokens, holding 12,835 ETH (valued at $33.56 million) and 32,113 BNB (worth $19.35 million) across two wallet addresses.
Radiant Capital's Response
The DeFi platform confirmed the incident in an X post, stating that it was aware of suspicious activity affecting its lending markets on the Binance Chain and Arbitrum. It responded by suspending its markets on Ethereum and the layer-2 network Base “until further notice” while it investigates the breach.
“We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum.”
The announcement also mentioned that Radiant is working with several Web3 security partners, including SEAL911, Hypernative, ZeroShadow, and Chainalysis, to resolve the situation and prevent further damage. Additionally, it has urged users to revoke all permissions to the smart contracts powering its protocol.
Meanwhile, this marks the second exploit the protocol has faced this year. In January 2024, the lending platform lost $4.5 million in an unrelated hack caused by a vulnerability in its smart contracts.
