Blockchain Lending Protocol Radiant Capital Loses $50M to Second Exploit This Year

Attackers appear to have obtained three out of 11 private keys needed to upgrade the protocol.

Web3 lending protocol Radiant Capital lost over $50 million on Wednesday in an apparent cyberattack, according to security firms and blockchain data.

An attacker gained control of Radiant's blockchain contracts by obtaining three of the "private keys" that control the protocol, security experts said.

CoinDesk Live at Avalanche Summit 2024 Day 1 | Partner Content

"Radiant Capital contracts were exploited on BSC & ARB chains with the 'transferFrom' function," Web3 security firm De.Fi explained on X. The exploit allowed attackers to "drain users' funds, namely $USDC $WBNB $ETH and others," the firm said.

Radiant is controlled by a multi-signature, or "multisig" wallet with 11 signers, De.Fi said in a separate X post. The attacker was apparently able to obtain three of these signers' "private keys," which was enough to upgrade the platform's smart contracts.

Radiant allows users to borrow, lend and bridge cryptocurrencies across blockchains. It's the second time this year that the protocol has been hit by an exploit; in January, Radiant lost $4.5 million in an unrelated hack that stemmed from a bug in its smart contracts.

It was unclear at press time how the private keys were compromised in Wednesday's attack. Some members of an Ethereum security group on Telegram speculated that the attack could've stemmed from a compromised front-end – meaning the legitimate Radiant key-holders may have accidentally interacted with a malware-laced protocol.

Radiant acknowledged the exploit in a post to its official X account, but it did not provide specific details.

"We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum," Radiant said. "We are working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible. Markets on Base and Mainnet are paused until further notice."

Radiant, which is governed by a decentralized autonomous community (DAO), states on its website that its mission is to "unify the billions in fragmented liquidity across Web3 money markets under one safe, user-friendly, capital-efficient omnichain" protocol.

This is a developing story. Radiant Capital did not immediately respond to a request for comment.

UPDATE (20:45 UTC, 16/10/24): Adds background information regarding Radiant and another hack in January, 2024.

Edited by Bradley Keoun.

Sign up for The Protocol, our weekly newsletter exploring the tech behind crypto one block at a time.

By clicking ‘Sign Up’, you agree to receive newsletter from CoinDesk as well as other partner offers and accept our terms of services and privacy policy.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.