The cryptocurrency security landscape faced a stark reminder of its vulnerabilities when attackers deployed sophisticated malware to compromise hardware wallets belonging to developers at a major cross-chain lending protocol. The breach, which came to light in a detailed analysis published on November 5, 2024, exposed how even industry-standard security tools can be turned against their users when attackers invest enough time and resources.
With Bitcoin trading at approximately $69,360 and Ethereum at $2,423 on the day of the analysis, the cryptocurrency market was already on edge amid the U.S. presidential election. But this incident served as a sobering reminder that the most significant threats to crypto users often come not from market volatility, but from carefully orchestrated social engineering and malware attacks.
The Exploit Mechanics
The attack targeted Radiant Capital, a decentralized lending protocol that allows users to deposit assets on one blockchain and borrow on another. The protocol operated across Arbitrum and Binance Smart Chain (BSC), managing over $300 million in total value locked at its peak.
The attackers deployed advanced malware that infected the hardware wallets of three developers who served as signers on the protocol’s multisig wallet. The malware simulated legitimate transaction data within the Safe{Wallet} interface, tricking the developers into signing fraudulent transactions without realizing it. This technique, known as “blind signing,” proved undetectable through standard verification methods, as both Tenderly and the Safe interface showed no visible anomalies during manual review.
The attackers exploited routine error messages in the wallet interface to gather signatures over multiple attempts, making the entire operation appear as normal operational troubleshooting. This patience and attention to detail allowed them to accumulate the necessary approvals without raising suspicion.
Affected Systems
The protocol utilized an 11-signer multisig configuration requiring only 3 signatures to authorize transactions — a “3-of-11” setup. Once the attackers controlled three private keys through their malware campaign, they executed a “transferOwnership” function on Radiant’s Pool Provider contract, the main contract governing the protocol’s lending pools.
With ownership transferred, the attackers upgraded the lending pool contracts to malicious versions across BSC and Arbitrum. These modified contracts manipulated critical functions such as “transferFrom,” enabling the draining of funds from users who had previously granted contract interaction approvals. The result was the extraction of approximately $53 million in user funds.
The attackers then laundered the stolen assets through decentralized exchanges including PancakeSwap and 1inch, converting everything into ETH and BNB to obscure the trail. Evidence suggests malicious contracts were deployed weeks in advance, indicating a highly sophisticated and well-planned operation.
The Mitigation Strategy
In the aftermath of the breach, the protocol took immediate action by pausing its markets on Base and Ethereum while advising all users to revoke permissions to its smart contracts. The team collaborated with law enforcement agencies and blockchain security firms, including ZeroShadow and Chainalysis, to trace and attempt recovery of stolen assets.
The most significant structural change was a complete overhaul of the multisig configuration. The protocol reduced its signer pool from 11 to 7 while increasing the signature threshold from 3 to 4, creating a substantially stronger consensus requirement for transaction approval. This adjustment means that even if an attacker manages to compromise individual signers, they would need to breach a larger proportion of the signing group to execute a malicious transaction.
Lessons Learned
This incident underscores several critical security principles. First, a multisig configuration is only as strong as its threshold-to-signer ratio. A 3-of-11 setup means an attacker needs to compromise only 27% of signers, whereas a 4-of-7 configuration raises that to 57%. Second, hardware wallets, while far more secure than software alternatives, are not invulnerable to sophisticated malware attacks that target the interface layer between the device and the user.
Third, the attack demonstrates that visual verification of transaction data within wallet interfaces can be compromised by malware operating at the operating system level. This finding suggests that the industry needs to develop additional verification layers that operate independently of the potentially compromised host machine.
User Action Required
For DeFi users, this breach reinforces the importance of regularly reviewing and revoking token approvals, particularly for protocols that have experienced security incidents. Users should also be aware that granting unlimited token approvals — a common practice for gas optimization — creates persistent risk exposure. Consider using approval management tools to audit and revoke unnecessary permissions on a regular schedule, and always verify protocol recovery status before re-engaging with previously compromised platforms.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before interacting with any DeFi protocol.
malware on hardware wallets is the nightmare scenario. the fact that they targeted developers specifically is terrifying for anyone building in defi
the social engineering angle is wild. they literally waited for election day when everyone was distracted. 53M gone and most people didnt even notice
the fact that the malware intercepted transactions before signing on the ledger display is next level. state-sponsored stuff imo
segfault_dev intercepting transactions before they hit the ledger display is next-level. this is not some script kiddie attack, the malware was signing malicious payloads on the fly
Radiant had 300M TVL and their multisig got compromised through malware injected into developer machines. This is why air-gapped signing matters.
Fatima is right about air-gapped signing. multisig means nothing if 3 of 5 signers are running compromised dev machines. Radiant learned that for $53M
gpu_hodler exactly. multisig on compromised machines is just multiple people approving the same malicious transaction. the signing setup matters more than the count
used to think hardware wallets were bulletproof. after reading this, nothing is safe if the computer you connect it to is compromised
Dmitri S. exactly. the hardware wallet is only as safe as the machine you plug it into. one compromised laptop and your ledger is basically a prop
Ronan C. the scary part is the malware sat dormant for weeks before the actual drain. they waited for election day when everyone was distracted. patient attackers
Radiant had $300M TVL and their dev multisig was on machines that got malware injected. waiting for election day to execute was chef knife levels of calculated