ChainCatcher news, SlowMist released the analysis of the Radiant Capital security incident (Arbitrum chain) on X:

Radiant Capital uses a multi-signature wallet (0x111ceeee040739fd91d29c34c33e6b3e112f2177) to manage key operations such as contract upgrades and fund transfers. However, the attacker illegally controlled 3 owner permissions in the multi-signature wallet.

Since Radiant Capital’s multi-signature wallet uses a 3/11 signature verification model, the attacker first uses the private keys of the three owners to sign off-chain, and then initiates an on-chain transaction from the multi-signature wallet to transfer the ownership of the LendingPoolAddressesProvider contract to a malicious contract controlled by the attacker.

Subsequently, the malicious contract calls the setLendingPoolImpl function of the LendingPoolAddressesProvider contract to upgrade the underlying logic contract of the Radiant lending pool to a malicious backdoor contract (0xf0c0a1a19886791c2dd6af71307496b1e16aa232).

Finally, the attacker executes the backdoor function to transfer funds from various lending markets to the attack contract.