Radiant Capital’s $50M crypto hack underlines DeFi’s multisig dependence

Yesterday, lending platform Radiant Capital suffered a loss of over $50 million worth of crypto when the project’s multisig wallet was compromised.

The incident offers a stark reminder of the importance of key management in the industry, and the potential for damage when signer addresses are compromised.

According to blockchain security firm SlowMist, private keys to three of 11 addresses were compromised in order to “transfer ownership of the LendingPoolAddressesProvider contract to a malicious contract controlled by the attacker.” This was then used to drain lending markets on two networks: Arbitrum and BNB Chain.

#ancilia_alerts It seems like something happen with @RDNTCapital contract on BSC. We have noticed several transferFrom user's account through the contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had…
— Ancilia, Inc. (@AnciliaInc) October 16, 2024

Crypto auditor Ancilia Inc. alerted the community, instructing users to revoke token approvals to the affected contracts, and adding updates as the losses mounted.

Unfortunately, the security experts were also reportedly duped into sharing a wallet drainer link from a spoofed account, ‘Radiarnt Capital.’

Radiant Capital’s official X (formerly Twitter) account acknowledged the incident approximately two hours later, as well as confirming the list of compromised contracts. In the meantime, regular marketing material was published and screenshots emerged of a team member assuming users had fallen victim to a “phising” (sic.) attack.

The stolen funds — $19 million and $32 million worth of BNB and ETH respectively — are currently held in attacker addresses on BNB Chain and Arbitrum. Radiant Capital previously lost $4.5 million to a well-known bug in January of this year.

Wider threat

The news underlined the decentralized finance (DeFi) sector’s reliance on multisig wallets to secure crypto worth billions of dollars.

L2BEAT researcher donnoh.eth pointed out the sheer scale of funds secured across the sector, with the threshold for each multisig displayed alongside the value held within.

– @blast 3/5 msig ($1.45B)
– @0xMantle 6/13 msig ($1.44B)
– @LineaBuild 4/6 msig ($849M)
– @Starknet 2/5 msig ($676M)
– @MetisL2 4/9 msig ($303M)
– @fraxfinance 3/5 msig ($170M)
– @taikoxyz 3/4 msig ($100M)
– @loopringorg 4/6 msig ($45M)
– @KintoXYZ 3/5 msig ($36M) https://t.co/uLt82LdAtW
— donnoh.eth 💗 in CM 🇹🇭 (@donnoh_eth) October 17, 2024

The figures show that just two compromised signatures could lead to losses of $676 million on Starknet. A total of $1.756 billion is secured by just three signatures apiece across Blast (by far the best value-for-key for potential hackers), Frax, Taiko, and Kinto.

Four-signature thresholds secure $1.197 billion in total between Linea, Metis and, Loopring. Finally, $1.44 billion Mantle has the highest threshold, but with 13 possible signers come more opportunities for would-be spear phishing targets.

Multisig wallets are a common security feature for crypto users, especially projects that manage funds as a team or for making critical upgrades to their platforms. An established threshold of signatures is required to send transactions, with no single address able to do so alone.

However, multisigs represent a ‘honeypot’ target for black hats, with extraordinarily large sums extracted on occasion.

In July, Indian crypto exchange WazirX lost $230 million after two signer addresses were compromised, and a further two were likely tricked into signing a malicious transaction. In March 2022, the now infamous Ronin Bridge attack saw over $600 million stolen, which went unnoticed for almost a week.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.