Radiant Capital, a blockchain lending protocol, recently faced a significant cyberattack that led to the loss of over $50 million. Hackers exploited the protocol’s smart contracts on Binance Smart Chain and Arbitrum by gaining control of three private keys from Radiant's multi-signature wallet. The attackers altered the smart contracts, allowing them to drain users’ funds, including USD Coin (USDC), Wrapped BNB (WBNB), and Ethereum (ETH). This incident marks the second time this year that Radiant Capital has been exploited, with the first hack in January causing a $4.5 million loss. The recent attack has raised concerns about the security of the protocol, prompting users to rush to revoke permissions on their wallets to protect their remaining funds.
Radiant Capital acknowledged the exploit through an official post, stating they are working closely with several top security firms, including SEAL911, Hypernative, ZeroShadow, and Chainalysis, to investigate the breach. The platform, controlled by a decentralized autonomous organization (DAO), paused all markets on Base and Mainnet as a precautionary measure while the investigation continues.
Web3 security firm De.Fi explained that the attackers used the ‘transferFrom’ function on Radiant's smart contracts, which enabled them to steal users’ assets. The firm also highlighted that the hack was made possible because the hackers gained access to three private keys of the protocol’s multi-signature wallet, which had a total of 11 signers. It remains unclear how the hackers obtained these private keys, but speculation within the Ethereum security community suggests it could have stemmed from a compromised front-end.
In the aftermath of the attack, crypto security firm Ancilia accidentally shared a harmful link while attempting to help Radiant Capital users revoke permissions. The link led to a wallet drainer, which could have stolen more funds from users who clicked on it. Ancilia quickly deleted the post, but the incident attracted criticism, with crypto commentator "Spreek" pointing out the seriousness of the mistake. Radiant has since directed users to safely revoke permissions using the revoke.cash tool to avoid further losses.
Also Read: X Empire Pre Market Price on Gate.io: Check $X Listing Date Today