According to TechFlow, on October 17, blockchain security company SlowMist released an analysis of the Radiant Capital security incident. The attacker illegally obtained the permissions of three owners in the Radiant Capital multi-signature wallet (address: 0x111ceeee040739fd91d29c34c33e6b3e112f2177). Since the multi-signature wallet uses the 3/11 signature verification mode, the attacker used these three private keys to sign off-chain, and then initiated an on-chain transaction to transfer the ownership of the LendingPoolAddressesProvider contract to the malicious contract controlled by the attacker.
The attacker then called the setLendingPoolImpl function through a malicious contract to upgrade the underlying logic contract of Radiant Lending Pool to a malicious contract with a backdoor (address: 0xf0c0a1a19886791c2dd6af71307496b1e16aa232). Finally, the attacker executed the backdoor function to transfer funds from various lending markets to the attack contract.
To protect user funds, SlowMist recommends that users immediately revoke authorization for the following addresses:
Ethereum mainnet: 0xA950974f64aA33f27F6C5e017eEE93BF7588ED07
Decision:0xF4B1486DD74D07706052A33d31d7c0AAFD0659E1
BSC:0xd50Cf00b6e600Dd036Ba8eF475677d816d6c4281
Base: 0x30798cFe2CCa822321ceed7e6085e633aAbC492F