The October 17, 2024 exploit of Radiant Capital — which drained over $53 million from BNB Chain and Arbitrum deployments — was not a simple smart contract vulnerability. It was a sophisticated multi-vector attack combining device compromise, transaction manipulation, and proxy contract exploitation. For experienced crypto users and protocol contributors, this incident provides a detailed case study in advanced transaction verification techniques that can prevent similar losses. With Bitcoin at $67,400 and Ethereum at $2,604 at the time, the attack’s scale underscored the urgent need for more rigorous signing practices across the DeFi ecosystem.
The Objective
This guide walks through the specific technical mechanisms the Radiant Capital attacker used and explains how each step could have been detected and prevented through proper transaction verification. By the end, you will understand how to simulate, decode, and verify complex multisig transactions before signing — a skill that could save your protocol millions.
The attacker’s approach followed a clear kill chain: compromise signer devices with malware, manipulate the transaction data displayed to those signers, execute ownership transfers and proxy upgrades, and finally drain the affected pools. Each of these steps left on-chain traces that could have been caught with the right verification tools and procedures.
Prerequisites
Before proceeding, you should be familiar with the following concepts and tools:
Proxy patterns: Most upgradeable DeFi protocols use the EIP-1967 transparent proxy pattern, where a proxy contract delegates all function calls to an implementation contract. The proxy holds the storage and funds, while the implementation contains the logic. Upgrading means pointing the proxy to a new implementation address. This is exactly what the Radiant Capital attacker exploited — they upgraded the implementation to a malicious contract that drained user funds.
Multisig frameworks: Gnosis Safe (Safe) is the industry standard for multisig wallets. Understanding how Safe transactions are structured — including the difference between a simple ETH transfer and a contract interaction — is essential for verifying what you are signing.
Transaction simulation: Tools like Tenderly, Foundry’s cast run, or Safe’s built-in transaction simulator allow you to preview the exact state changes a transaction will produce before any signature is collected. This is your most powerful defense against manipulated transaction displays.
ABI decoding: The ability to decode calldata into human-readable function calls and parameters. When a multisig transaction shows raw hex data, ABI decoding reveals what that data actually does — whether it is a simple token transfer, an ownership change, or a proxy upgrade.
Step-by-Step Walkthrough
Step 1: Always simulate before signing. The Radiant Capital attack could have been caught at the very first signing step if any of the three compromised signers had simulated the transaction before approving it. Simulation would have shown that the transaction was not a routine protocol operation but an ownership transfer of the Pool Provider contract to an unknown address. In Safe’s web interface, the Transaction Builder includes a simulation feature. For command-line users, Tenderly’s Simulation API provides detailed state diffs. Make simulation a non-negotiable part of your signing workflow — no exceptions.
Step 2: Decode the calldata independently. The malware on the compromised devices manipulated what signers saw, displaying a legitimate-looking transaction while the actual calldata executed something entirely different. To counter this, always decode the raw calldata independently of the signing interface. Copy the hex data from the transaction details and decode it using a separate tool — for example, the ABI decoder on Etherscan or a local Foundry script. If the decoded function call does not match what your signing interface shows, you are being manipulated.
Step 3: Verify the target contract address. In the Radiant Capital attack, the malicious implementation contract was deployed 14 days before the exploit. Security firm Hacken also found evidence of a failed attempt six days before the successful attack. Running a simple check on the target contract — when was it deployed, by whom, has it been audited — would have revealed that the new implementation was a freshly deployed, unaudited contract with no verifiable source code. Any proxy upgrade should trigger an automatic check of the new implementation address against known audit records and deployment history.
Step 4: Cross-reference on-chain signatures with your local view. The attacker’s malware manipulated the signing interface on compromised devices. To detect this, compare the transaction details shown in your signing interface with the transaction data visible on a block explorer or a separate, clean device. Any discrepancy — even a single character in an address or a minor difference in the value field — indicates that your signing environment has been tampered with. Stop immediately and investigate.
Step 5: Monitor for suspicious prior activity. The failed exploit attempt on Arbitrum was a warning sign that went unnoticed. Set up monitoring for any failed transactions targeting your protocol’s contracts, especially those involving ownership changes, proxy upgrades, or unusual contract interactions. Tools like OpenZeppelin Defender, Forta, or custom Tenderly alerts can notify you of suspicious activity in real time, providing critical early warning before an attacker refines their approach.
Troubleshooting
Problem: Simulation shows unexpected state changes but the transaction appears routine. Solution: This is the clearest possible indicator of a manipulated signing environment. Do not sign. Immediately alert your security team and investigate the device used for signing. Run a full malware scan and consider the possibility that your device has been compromised. In the Radiant Capital case, the malware specifically targeted the transaction display — meaning signers saw normal operations while the actual payload was malicious.
Problem: A co-signer reports seeing different transaction details than what you see. Solution: Stop all signing activity immediately. Different team members seeing different transaction details for the same multisig proposal indicates that at least one device in the signing chain has been compromised. Isolate the affected devices and conduct a full security audit of all signer hardware and software.
Problem: The new implementation contract has no verified source code. Solution: Treat this as a critical red flag. Legitimate protocol upgrades should always have verified, audited source code. If the implementation cannot be independently verified, the upgrade should be blocked pending a full security review. The Radiant Capital attacker deployed their malicious contract 14 days in advance precisely to avoid raising suspicion — but the absence of verified source code should have been an immediate blocker.
Mastering the Skill
Advanced transaction verification is not a one-time checklist but an ongoing discipline. The threat landscape evolves constantly — October 2024 alone saw $147 million in losses across 28 Web3 incidents, with phishing victims losing $18 million combined. The Radiant Capital attack combined multiple techniques that, individually, might have been caught by standard security measures. Together, they created an exploit that bypassed every layer of defense.
To truly master this skill, integrate transaction simulation and calldata decoding into every signing workflow, not just for high-value operations. Build automated checks that flag any proxy upgrade, ownership transfer, or interaction with newly deployed contracts. Conduct regular red-team exercises that test whether your signers can detect manipulated transactions. And stay engaged with the broader security community — the techniques used against Radiant Capital will be adapted and improved for use against other protocols. The best defense is a team that has seen every trick in the book and has the tools to recognize them in real time.
Disclaimer: This article is for educational purposes only and does not constitute financial or investment advice. Always conduct your own research and consult security professionals before implementing any security measures.
the malware modifying what signers SEE on screen is the scariest part. hardware wallets are useless if the input is already poisoned before it reaches the device
transaction simulation before signing should be mandatory for every multisig signer. Tenderly fork sim would have flagged the Radiant exploit instantly. no excuse
tenderly fork sim is table stakes now. we also run a diff check on the proxy implementation contract after every multisig tx. if the bytecode changes and we didnt approve that, alarm bells
the decoded calldata section is excellent. every protocol operator should know how to read raw hex. if you cant decode what youre signing, you shouldnt be a signer period
hard agree on simulation. we added mandatory Tenderly checks to our signing workflow after Radiant. takes an extra 2 minutes per tx but could literally save millions
the raw hex part cannot be overstated. we caught a suspicious delegatecall in a proposed upgrade last month just by reading the calldata. would have been a six figure loss
delegatecall in a suspicious context is an instant veto in our DAO. caught one last quarter that tried to redirect yield to an unknown address
calldata_witch blind signing is how most of these exploits happen. the ledger screen should show the full calldata but most users just hit confirm
run a weekly workshop on calldata decoding for new multisig signers. the number of people who blindly sign because the UI looks fine is terrifying
we added a mandatory 3-person review for any proxy upgrade after nearly getting hit by a similar attack. slows things down but beats losing 53M