📣 $50M Gone in Radiant Capital Hack – How Did It Happen Again?

posted  17 Oct 2024
Hackers gained access to three private keys that control the Radiant protocol, allowing them to manipulate smart contracts and withdraw user funds.

This was reported by DeFi Antivirus Web3 on their X account.
The attack took place on both the Binance Smart Chain and Arbitrum networks. The attackers exploited a vulnerability in the "transferFrom" function*, enabling them to transfer funds from users' accounts without their authorization.

*The transferFrom function is widely used in ERC-20 token smart contracts. It allows one account to transfer tokens from another account. What makes transferFrom unique is that the tokens don’t need to belong to the person initiating the transfer. Before completing the transaction, the function checks if the spender has been authorized by the token owner to transfer tokens on their behalf and whether the owner has sufficient tokens. If both conditions are met, the transaction proceeds.
DeFi Protocols Remain a Tempting Target for Hackers

DeFi Protocols Remain a Tempting Target for Hackers

Radiant Capital, like many other decentralized finance (DeFi) protocols, relies on a multisignature system to safeguard its assets. However, hackers managed to bypass this system by obtaining access to enough private keys to carry out the exploit.

An investigation is currently underway to determine how the attackers gained control of the private keys. One theory suggests a possible compromise of the platform’s front-end, allowing hackers to substitute legitimate management tools.

Radiant Capital has already suspended its markets and is collaborating with several cybersecurity firms to investigate the incident and attempt to recover the stolen funds.

This attack on Radiant Capital underscores the ongoing risks of using DeFi protocols. Despite their decentralized nature, these platforms remain vulnerable to hacking. Many of the attacks are tied to breaches in smart contracts, making it critical for developers to prioritize code security. A thorough audit of smart contracts is essential before launching any decentralized finance project.

It seems that the January 2024 hack, when Radiant Capital lost nearly 1,900 ETH, did not serve as a sufficient lesson for the platform.