Radiant Capital, a decentralized finance (DeFi) protocol that aims to consolidate fragmented liquidity across blockchains, lost millions of dollars in an exploit on Wednesday.
Web3 security firm De.Fi estimated that $58 million was lost from the contracts exploit on the BSC and Arbitrum chains, while other security firms suggest the losses were closer to $51 million.
“We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum. We are working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible,” said the Radiant Capital team in an update on X.
“Markets on Base and Mainnet are paused until further notice.”
The attacker gained control of the protocol’s multisig wallet, transferred ownership and then proceeded to drain funds, according to Polygon Labs’ Chief Information and Security Officer Mudit Gupta.
“Radiant’s multisig had 11 signers, but only required 3 signatures to execute transactions,” observed Pop Punk, the pseudonymous founder of g8keep.
Multisig wallets are typically used as a security feature, requiring multiple approvals for transactions. Given the size of the protocol, Radiant’s low signer threshold was the subject of criticism from many industry watchers.
Security firm Hacken noted that the malicious contract was actually prepared 14 days before Wednesday’s exploit, with the hacker unsuccessfully attempting to execute the exploit six days ago.
The attack also marks the second exploit that Radiance has seen in 2024 — the protocol lost $4.5 million in a flash loan exploit in January, leading to a near 40% drop in its total-value locked shortly after.
Radiant’s native token RDNT dropped 9% following the news. At the time of writing, the token was trading at $0.066.
