DeFi platform Radiant Capital has informed US law enforcement about the breach that resulted in the loss of over $50 million from its protocol on BNB Chain and Arbitrum. In a post on X, the team said it is also working with Web3 security company ZeroShadow and other law enforcement agencies to recover the money and freeze the stolen assets.

The protocol experienced a unique hack on its platform’s Arbitrum and BNB Chain instances, during which the hacker transferred millions by deploying a backdoor contract. With the smart contract controlled by a multi-sig, it was initially uncertain how the hacker gained access. However, the protocol has commenced recovery efforts.

Radiant Capital said:

“The DAO is deeply devastated by this attack and will continue to work tirelessly with the respective agencies to identify the exploiter and recover the stolen funds as quickly as possible.”

While the protocol plans to recover the stolen funds, doing that may prove more challenging, particularly as the hacker has already swapped the stolen funds into ETH and BNB, holding 12,835 ETH worth $33.56 million and 32,133 BNB worth $19.35 million. This conversion makes it difficult to freeze the stolen funds, and they move them on-chain and launder them through a crypto mixer.

Post-mortem shows the Radiant Capital exploit was highly sophisticated

Meanwhile, investigations into the exploit by blockchain security experts, including Security Alliance and Hypernative Labs, have shown that the hack was caused by the compromise of three Radiant developers’ hardware wallets, who are also key contributors to the Radiant decentralized autonomous organization (DAO).

Although the DAO contributors were in different geographic locations, the hacker could gain control of their hardware wallets and compromise them by injecting malware that gave them control of those wallets and allowed the execution of the exploit.

According to the Radiant Capital report, the hack happened during a routine multi-signature emission process. The full nature of the exploit remains a mystery because there was no sign of any issue with Safe Wallet’s front end.

It said:

“The means by which they were compromised remains unknown and under investigation. The devices were compromised in such a way that the frontend of Safe{Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background.”

However, Radiant noted that the DAO contributors followed all the procedures for the routine process, and the frontends for all compromised devices, Tenderly and Safe, did not show any abnormal activity during the incident. They added that the level of sophistication of the incident is concerning, as affected devices did not even show any sign of being compromised apart from minor glitches and error messages, which are common issues.

Security experts recommend precautions for DeFi protocols

Following the incident, security experts highlighted DeFi protocols’ risks as bad actors deploy more sophisticated measures for exploiting these platforms. As Radiant post-more noted, the teams investigating this attack believe it is one of the most sophisticated. They have now outlined new strategies for keeping DeFi protocols safe.

The investigators have now recommended preventative steps for DeFi protocols to prevent another recurrence. These include multi-layer signature verification and pausing any governance process once any multi-sig experiences an error until there is a full review. They also recommended using independent devices to verify transaction data before signing and integrating audit mechanisms for recurring errors and glitches.

Additionally, DeFi protocols have been advised to improve their hardware security by avoiding blind signing for critical transactions. This means that any interactions with hardware wallets are verified visually through transaction data or any other means before approval.

Meanwhile, DeFi protocols have also been advised to review all transaction payload manually by examining the raw transaction data from the wallet provider and confirming the function through the Etherscan data decoder before implementing it.