Radiant Capital, a leading blockchain lending platform, has fallen victim to a devastating cyberattack, resulting in losses exceeding $50 million. The attack, which took place on Wednesday, saw an unknown hacker gain unauthorized control over the platform’s blockchain contracts by compromising key components of its security structure, according to Web3 security experts.

The attack marks the second time Radiant has been targeted in 2024. 

The breach occurred when the attacker successfully obtained three private keys controlling Radiant’s blockchain contracts on both the Binance Smart Chain (BSC) and Arbitrum networks. According to Web3 security firm De.Fi, the hacker exploited the “transferFrom” function within the contracts, allowing them to siphon off significant amounts of digital assets, including USDC, Wrapped BNB (WBNB), and Ethereum (ETH).

Exploiting Multisig Wallet Vulnerabilities

Radiant Capital operates under a multi-signature wallet, which requires approval from several signers to authorize any significant contract changes. In this case, the platform’s multisig wallet has 11 signers, and the attacker managed to acquire the private keys of three of them. This provided enough leverage to modify the platform’s smart contracts and initiate the large-scale theft.

The hack highlights vulnerabilities in decentralized finance (DeFi) protocols, where control over private keys can have catastrophic consequences. While the exact method by which the keys were compromised remains unclear, some members of an Ethereum security group speculated that the breach may have stemmed from a compromised front-end. This would suggest that legitimate Radiant key holders might have unknowingly interacted with a malware-infected version of the protocol.

Radiant Pauses Operations

In response to the incident, Radiant Capital posted an acknowledgment on its official X account, stating that it is actively investigating the matter. The company has paused operations on its lending markets across the Binance Chain and Arbitrum, with its Base and Mainnet markets also frozen as a precautionary measure. Radiant has partnered with cybersecurity firms SEAL911, Hypernative, ZeroShadow, and Chainalysis to assist in their investigation.

Amid this chaos, crypto security firm Ancilia mistakenly shared a link to a wallet drainer while trying to help Radiant attack victims. Users were rushing to revoke permissions after the hack when Ancilia, in a now-deleted post, shared a scam link from a fake Radiant X account. The link, if followed, would have drained users’ funds.

Notably, earlier in January, Radiant suffered a $4.5 million loss due to a smart contract bug.

The post Radiant Capital Suffers $50M Loss in Major Cyberattack, Users’ Funds Drained appeared first on TheCoinrise.com.