Radiant Capital Suffers $58 Million Multisig Exploit as Developer Devices Compromised

The decentralized finance ecosystem faces another sobering reminder of its security challenges as Radiant Capital, a prominent cross-chain lending protocol, confirms losses exceeding $58 million following a sophisticated attack on its multi-signature wallet infrastructure. The exploit, executed on October 16, 2024, targeted the protocol’s deployments across Arbitrum and Binance Smart Chain, marking the second major security incident to hit the platform within the same year.

The Exploit Mechanics

The attack vector was notably more advanced than typical smart contract exploits seen in the DeFi space. Rather than targeting a code vulnerability, the attacker focused on the human element — compromising the devices of multiple developers who served as signers on Radiant’s Gnosis Safe multi-signature wallet. Radiant Capital employed a 3-of-11 multi-signature scheme for its Pool Provider contract, which governed the protocol’s various lending pools across chains. By infecting at least three signers’ devices with malware, the attacker was able to collect legitimate cryptographic signatures while simultaneously manipulating what those signers saw on their screens. The Gnosis Safe interface displayed what appeared to be routine transactions, while in reality, the signatures authorized a malicious contract upgrade that transferred ownership of the protocol’s Pool Provider contract to an address controlled by the attacker.

Once the ownership transfer was complete, the attacker upgraded the pool contracts to malicious versions that allowed direct drainage of user funds. The stolen assets included a mix of wrapped Bitcoin, Ether, stablecoins, and other tokens held within Radiant’s lending pools. The total losses were estimated at approximately $58 million, making it one of the largest DeFi exploits of October 2024.

Affected Systems

The attack impacted Radiant Capital’s deployments on two major networks: Arbitrum, the leading Ethereum Layer 2 scaling solution, and Binance Smart Chain (BSC). On both chains, the attacker drained liquidity from the protocol’s core lending pools, affecting users who had supplied assets to earn yield. The Radiant team confirmed that the Ethereum mainnet deployment was not affected, as it utilized a separate set of contracts and signers. The cross-chain nature of the exploit highlights a fundamental challenge in multi-chain DeFi: as protocols expand across networks, their attack surface grows proportionally, and each additional deployment introduces new vectors for compromise.

At the time of the attack, Bitcoin traded near $67,300 and Ether held at approximately $2,620, anchoring the dollar value of the stolen assets to a market environment where major cryptocurrencies showed relative stability. The exploit did not trigger broader market contagion, but it did cause a sharp decline in Radiant’s native token value as users rushed to assess the damage.

The Mitigation Strategy

In the immediate aftermath, Radiant Capital and the broader DeFi security community moved swiftly to contain the damage. The protocol revoked access to all compromised contracts on both Arbitrum and BSC, preventing the attacker from extracting additional funds. Public alerts were issued advising all Radiant users to revoke their token approvals for the affected contract addresses — a critical step, as lingering approvals could allow further exploitation even after the initial attack. On-chain analysts and security firms including BlockSec, Halborn, and QuillAudits began investigating the exploit path. Early findings pointed to a social engineering campaign in which the attacker posed as a former contractor, delivering malware through Telegram communications — a technique increasingly associated with North Korea-aligned threat groups targeting the cryptocurrency industry.

Lessons Learned

The Radiant Capital incident reinforces several critical security principles for the DeFi ecosystem. First, multi-signature thresholds must be calibrated to balance operational efficiency with genuine security. A 3-of-11 threshold, while appearing robust, effectively means that compromising just three devices grants full control — a bar that sophisticated attackers have repeatedly proven capable of clearing. Protocols should consider higher thresholds, mandatory hardware wallet usage for all signers, and time-locked execution windows that allow for community review of pending transactions. Second, the attack demonstrates that frontend manipulation combined with device-level malware represents an evolving threat that traditional smart contract auditing cannot address. Protocols need comprehensive security programs that encompass not just code review, but also operational security training for all team members with privileged access.

User Action Required

Any user who interacted with Radiant Capital on Arbitrum or BSC should immediately revoke all token approvals for the protocol’s affected contracts. This can be done through tools like Revoke.cash or Etherscan’s token approval checker. Users should also monitor official Radiant Capital communication channels for updates on the recovery process and any potential reimbursement plans. As a general practice, DeFi users should regularly review and clean up token approvals across all chains, limiting exposure to only the protocols they actively use.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before interacting with any DeFi protocol.