On October 17, 2024, decentralized finance (DeFi) protocol Radiant Capital was hit by a meticulously executed hack that resulted in a loss of $50 million. This attack was no ordinary exploit; it showcased a high level of sophistication, involving compromised hardware wallets, software Trojan infections, and seamless integration of malicious smart contracts. The attackers demonstrated extensive knowledge of both the technical infrastructure and organizational processes. This article will detail the mechanics of the attack, draw comparisons with other notable hacks, and provide actionable mitigation strategies.

The Technical Breakdown of the Attack

1. Trojan Infection of Team Members' Computers

The attack began with the Trojaning of several Radiant Capital team members' computers. Trojans are a form of malware disguised as legitimate software, allowing attackers to infiltrate machines and gather sensitive information or control devices remotely. In this case, the Trojan enabled the attackers to intercept multisig (multiple-signature) transaction requests.

- Multisig Explained: In decentralized finance, multisig wallets (like Gnosis Safe) require multiple private keys to approve and execute a transaction. These are often used to secure high-value funds or critical contract upgrades, ensuring that no single individual can act unilaterally.

2. Deception via Hardware Wallet Manipulation

Despite their systems being compromised, team members were oblivious to the infection. When they reviewed and verified multisig transaction data, the data appeared legitimate on their screens. However, the Trojan intercepted the actual signing requests sent to their hardware wallets.

- Hardware Wallets Explained: Hardware wallets are physical devices used to store private keys offline, providing an additional layer of security for signing cryptocurrency transactions. In a normal scenario, signing a transaction on a hardware wallet ensures that even if a computer is compromised, the attacker cannot access the private key or alter the transaction.

In this case, however, the Trojan replaced the legitimate transaction requests with a malicious one—specifically, a request to execute the `transferOwnership()` function. This function handed over control of the Radiant Capital lending pool to the attackers.

3. Atomic Execution of the Exploit

Once the attackers secured the necessary signatures, they orchestrated an atomic execution—a sequence of actions that are executed as one uninterrupted transaction on the Ethereum network. This is a clever technique often used by hackers to prevent their exploit from being detected or intercepted.

- Transfer of Ownership: The signed `transferOwnership()` function transferred control of the lending pool contract to the attackers.

- Contract Upgrade: Next, the attackers upgraded the contract using a new implementation (via the `setLendingPoolImpl` function), deploying malicious code to enable further theft.

- Initial Theft: The upgraded contract executed a `transferFrom()` function, allowing the attackers to withdraw funds from any user who had given approval to the lending pool contract.

4. Continuous Theft

Even after the initial exploit, the theft continued. The malicious contract remained live and operational, exploiting users who had granted approval to the lending pool contract. Each time a vulnerable user interacted with the contract, the malicious code executed and stole their assets.

This aspect of the attack emphasizes the importance of regularly reviewing and revoking unnecessary smart contract approvals to mitigate the risks of ongoing exploits.

5. Interception of Signing Requests

A key point of clarification: the hardware wallets themselves were not compromised. The Trojan on the infected computers intercepted the data before it was sent to the hardware wallet, modifying the transaction so that the wallets unwittingly signed the malicious request.

In standard multisig setups (e.g., Gnosis Safe), all participants must see and approve identical signatures. In this case, the legitimate signatures never appeared in the Gnosis Safe, suggesting that the attackers’ manipulation occurred before the data was even transmitted for approval.

Similar DeFi Hacks: A Broader Perspective

The Radiant Capital attack is reminiscent of several other major DeFi exploits, where sophisticated actors compromised signing processes, exploited contract vulnerabilities, or used atomic transactions to siphon funds.

1. The 2019 Upbit Hack

In November 2019, South Korean exchange Upbit lost $50 million worth of Ethereum in an attack that exploited a security flaw in its multisig cold wallet infrastructure. Although this wasn’t a Trojan attack, it highlighted how exploiting weaknesses in transaction signing processes could lead to the loss of massive amounts of funds.

2. The 2022 Harmony Bridge Hack

In June 2022, Harmony's Horizon Bridge suffered a $100 million exploit due to compromised multisig wallets. The hackers gained control of the bridge by using a series of malicious transactions after gaining control of multisig keys. This hack, like Radiant Capital’s, emphasized the vulnerabilities inherent in multisig systems, especially when private keys or devices involved in signing are compromised.

3. The 2023 Euler Finance Attack

In March 2023, Euler Finance lost nearly $200 million in an exploit involving a flaw in its lending protocol. Although the Euler hack was more a contract vulnerability exploit rather than a multisig or hardware wallet compromise, it demonstrated the attackers’ ability to combine multiple types of exploits into one seamless, atomic attack.

These hacks, including the Radiant Capital incident, share a common theme: they all relied on exploiting the complexities of decentralized finance infrastructure, often targeting vulnerabilities in multisig wallets, smart contracts, or transaction-signing processes.

Mitigation Measures: How to Protect Against Such Attacks

The Radiant Capital hack serves as a wake-up call for the DeFi ecosystem, demonstrating the need for proactive security measures to prevent similar exploits in the future. Below are key mitigation strategies:

1. Timelock and Governance Processes

Introducing timelocks in smart contract deployments can significantly reduce the risks of rapid, unchecked changes. A timelock introduces a delay (e.g., 24-48 hours) before critical contract functions like upgrades or large fund transfers can be executed.

- Example: Compound Finance implements a timelock of 2 days for any governance changes. This gives the community time to review, detect potential malicious proposals, and react before they are executed.

- A timelock combined with governance processes, where the community or core team must vote on critical changes, would have provided Radiant Capital with enough time to notice the ownership transfer and revoke approvals or take other preventative actions.

2. Multisig Best Practices

If a hardware wallet’s signature does not result in a corresponding signature visible to all other signers in a multisig setup (such as Gnosis Safe), the signing process should be halted, and the transaction should be investigated. Cross-verifying signatures across multiple devices or team members can help prevent signing of malicious transactions.

Teams should also consider setting up additional layers of multisig where more signatures are required for critical actions like contract ownership changes or withdrawals.

3. Secure Team Members' Devices

One of the primary entry points for the Radiant Capital hack was the compromise of team members’ computers. Organizations must:

- Implement strict endpoint security measures, including the use of anti-malware and intrusion detection software.

- Enforce hardware wallet usage policies, ensuring they are used only on secure, isolated machines to reduce the risk of interception.

- Conduct regular security audits and penetration testing to identify and fix any vulnerabilities in the organization’s infrastructure.

4. Revoke Unnecessary Approvals

Users should regularly review and revoke unnecessary smart contract approvals. DeFi users often give perpetual approvals to certain contracts to avoid signing every transaction. However, this practice opens up the possibility for malicious contracts to drain their funds.

Services like Etherscan’s token approval checker allow users to easily view and revoke token approvals that they no longer use, minimizing exposure to similar attacks.

5. Education and Incident Response Preparedness

DeFi teams should establish incident response plans and educate team members about potential threats like social engineering, phishing, and hardware wallet interception. Training on how to detect and respond to suspicious activities, like discrepancies in multisig signing processes, could help mitigate the impact of future attacks.

The Radiant Capital hack demonstrates the increasing sophistication of DeFi exploits, blending social engineering, malware, and smart contract vulnerabilities into a seamless, highly effective attack. By learning from this incident and implementing robust security measures—timelocks, governance processes, secure hardware wallet practices, and proactive user education—DeFi protocols can better defend against future threats.

As DeFi continues to grow, so too will the sophistication of attacks. It is imperative that protocols, developers, and users remain vigilant, prioritize security, and adopt the best practices that will safeguard their funds in an increasingly hostile digital environment. The lessons from Radiant Capital, and similar hacks that have preceded it, should be widely applied to strengthen the entire ecosystem against evolving threats.

thanks to @danielvf