The decentralized finance ecosystem suffered one of its most sophisticated attacks on October 17, 2024, when multi-chain lending protocol Radiant Capital lost over $53 million in a meticulously planned exploit. The breach, which targeted both BNB Chain and Arbitrum deployments, exposed critical vulnerabilities in how DeFi protocols manage multi-signature governance — and serves as a sobering reminder that even well-established security mechanisms can fail when attackers gain access to the devices of key personnel.
With Bitcoin hovering around $67,400 and Ethereum at $2,604 at the time of the attack, the crypto market was in a relatively stable period, making the Radiant Capital exploit all the more jarring for DeFi participants who had grown accustomed to thinking of multisig wallets as a gold standard of security.
The Exploit Mechanics
The attack unfolded with surgical precision, exploiting a critical weakness in Radiant Capital’s multi-signature governance setup. The protocol relied on an 11-signer multisig wallet — a configuration that should, in theory, have provided robust protection against unauthorized transactions. However, only 3 of those 11 signatures were required to execute transactions, creating a dangerously low threshold that became the protocol’s Achilles’ heel.
Blockchain security firm Ancilia first detected suspicious activity on Radiant’s BSC contract, issuing an urgent warning for users to revoke approvals as $16 million had already been drained. The attacker had managed to compromise at least three of the multisig signers through a sophisticated malware injection campaign targeting the personal devices of core contributors. Once the malware was in place, the attacker could manipulate transaction data displayed to signers, making malicious transactions appear legitimate during the signing process.
The attacker executed a three-step plan: first, transferring ownership of the Pool Provider contract — which manages Radiant’s various lending pools — to a malicious contract; second, upgrading the implementation of those lending pools; and third, draining all funds from the compromised pools across both BSC and Arbitrum.
Affected Systems
The attack impacted Radiant Capital’s deployments on BNB Chain and Arbitrum, with malicious contracts also deployed on Ethereum and Base, though those chains were not ultimately drained. The stolen funds were quickly moved through decentralized exchanges including 1inch, ParaSwap, PancakeSwap, and Odos, where they were swapped for ETH and BNB before being consolidated into attacker-controlled wallets.
On-chain analysis revealed that the malicious contract used for the proxy upgrade had been deployed 14 days before the attack across multiple chains, indicating weeks of careful preparation. Blockchain data from security firm Hacken further uncovered a failed exploit attempt on Arbitrum six days prior to the successful attack, demonstrating the attacker’s persistence and willingness to refine their approach after initial setbacks.
Radiant Capital responded by freezing all lending markets, including those on Base and Ethereum mainnet that had not been directly exploited. The protocol also published a list of contract addresses and urged users to revoke all approvals via Revoke.cash.
The Mitigation Strategy
The Radiant Capital exploit highlights several critical security failures that the broader DeFi community must address. First and foremost, the 3-of-11 multisig threshold proved grossly inadequate for a protocol managing over $50 million in user funds. Industry best practices recommend a minimum threshold of 60-70% of total signers — in Radiant’s case, that would have meant requiring at least 7 or 8 signatures out of 11, making it exponentially harder for an attacker to gain sufficient control.
Second, the malware injection vector underscores the growing threat of targeted social engineering attacks against key personnel. In October 2024 alone, Web3 security incidents led to approximately $147 million in total losses across 28 separate attacks, with phishing and social engineering playing an increasingly prominent role. Anti-fraud platform Scam Sniffer recorded 12,058 phishing victims during the same month, with losses totaling $18.04 million.
The incident also raises questions about the role of security firms in incident response. Ancilia, which initially detected the exploit, later faced criticism for inadvertently sharing a malicious link from an impersonating account posing as “Radiarnt Capital,” potentially exposing victims of the original exploit to a secondary wallet-draining attack.
Lessons Learned
The Radiant Capital exploit offers several hard-won lessons for the DeFi ecosystem. Protocols must implement higher multisig thresholds proportionate to the value they protect. Hardware-based signing — where transactions are verified on isolated devices — can prevent malware from manipulating the transaction data presented to signers. Regular security audits should examine not just smart contract code but the entire governance and key management infrastructure.
The two-week preparation window between malicious contract deployment and execution also highlights the importance of proactive monitoring. Security teams should implement automated alerts for suspicious contract deployments that could target their protocol, even before an attack is executed. The failed attempt on Arbitrum, had it been detected and investigated more thoroughly, might have provided early warning of the larger attack to come.
User Action Required
For users who had funds on Radiant Capital’s BSC or Arbitrum markets, immediate action is critical. Revoke all token approvals for the affected contract addresses published by the Radiant team. Monitor Radiant Capital’s official communications for updates on fund recovery efforts and any potential compensation plans.
More broadly, this incident should prompt all DeFi users to regularly review and revoke unnecessary token approvals, use hardware wallets for high-value holdings, and maintain a healthy skepticism toward protocols that rely on low-threshold multisig governance. In a space where a single compromised device can lead to the loss of tens of millions of dollars, personal vigilance remains the last line of defense.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
btc at 67400 during the oct 17 event adds to the chaos
$53M drained because 3 out of 11 devices were compromised. a 3-of-11 threshold for a protocol holding hundreds of millions is absurdly low. should have been 7-of-11 minimum
0xDetective.eth 7-of-11 would have helped but the real issue is the malware replacing what signers see on screen. even 7 compromised devices would show fake transactions
0xDetective.eth 7 of 11 wouldnt have helped here. the malware infected the signing devices themselves. threshold cryptography wont save you if the endpoint is compromised
the malware replaced what signers saw on their screens with a benign transaction while the actual payload drained the protocol. this is next level attack sophistication
this is why you verify transactions on the hardware device screen itself, not your computer. the malware on the PC cant fake what the ledger display shows you
audit_ghost hardware wallet verification is necessary but not sufficient. if the signer confirms on device and the malware swaps the payload between confirmation and broadcast, youre still toast
malware injection on that multisig still beats most defenses
sig_verify the gap between hardware confirmation and broadcast is where it falls apart. even verifying on the device screen wont help if the payload gets swapped in transit
53m drained on bnb and arbitrum with 3 of 11 signers hit
Ingrid the screen replacement attack is terrifying. hardware wallets are supposed to be the trusted display and even that got bypassed
Sigrid Holmberg the display on a ledger shows the decoded transaction but the malware can replace what appears on the computer screen before you even plug in. the trust boundary is narrower than people think
BTC at $67,400 when this happened. market completely unbothered while a $53M protocol drain unfolded. desensitization is real