Radiant

Quick Summary

On October 16, 2024, Radiant Capital, a decentralized finance (DeFi) lending protocol, was exploited in a major cyberattack,
resulting in over $50 million in losses.




Details of the Exploit

On October 16, 2024, Radiant Capital, a decentralized finance (DeFi) lending protocol, was exploited in a major cyberattack,
resulting in over $50 million in losses. Attackers gained access to three out of 11 private keys needed to control Radiant's smart
contracts, allowing them to drain funds across multiple blockchains. The breach impacted liquidity pools on the Binance Smart
Chain (BSC) and Arbitrum networks, forcing Radiant to suspend its markets on Ethereum and Base as part of its damage control
efforts.

The attackers compromised Radiant’s multi-signature wallet, which requires multiple key holders to approve critical actions. By
obtaining three private keys, they gained sufficient control to upgrade the protocol’s smart contracts and initiate unauthorized
transfers of assets. Hackers drained liquidity pools holding popular tokens like USDC, WBTC, WETH, and BNB. Notably, $18 million
was stolen from Radiant's BSC pools, and additional funds were compromised on Arbitrum. In response, Radiant partnered with
security firms, including SEAL911 and Chainalysis, to investigate and urged users to revoke smart contract permissions.




Block Data Reference

Exploiter:

https://arbiscan.io/address/0x0629b1048298ae9deff0f4100a31967fb3f98962

https://bscscan.com/address/0x911215cf312a64c128817af3c24b9fdf66b7ac95

Quick Summary

Radiant Capital suffers $4.5 million loss in ETH due to flash loan attack.




Details of the Exploit

On January 2, 2024, Radiant Capital, a multichain lending protocol, was attacked through a flash loan exploit, resulting in the
theft of over 1,900 ETH, valued at over $4.5 million. The attacker exploited a vulnerability in the project's token quantity
calculation, involving precision expansion and rounding. By controlling the precision and using rounding to expand profit margins,
the attacker drained all USDC from the pool. As of the time of writing, the stolen 1,902 ETH remains in the hacker's address
without any movement.




Block Data Reference

Attacker address:

https://arbiscan.io/address/0x826d5f4d8084980366f975e10db6c4cf1f9dde6d




Malicious transactions:

https://arbiscan.io/tx/0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b

https://arbiscan.io/tx/0x2af556386c023f7ebe7c662fd5d1c6cc5ed7fba4723cbd75e00faaa98cd14243

https://arbiscan.io/tx/0xc5c4bbddec70edb58efba60c1f27bce6515a45ffcab4236026a5eeb3e877fc6d




Malicious contract:

https://arbiscan.io/address/0x39519c027b503f40867548fb0c890b11728faa8f