The decentralized finance ecosystem suffered one of its most sophisticated attacks on October 16, 2024, when cross-chain lending protocol Radiant Capital lost $53 million in a meticulously orchestrated exploit. With Bitcoin trading near $67,000 and Ethereum around $2,480 at the time, the theft sent shockwaves through a sector already reeling from a brutal month of security incidents.
The Exploit Mechanics
The attack on Radiant Capital did not exploit a smart contract vulnerability or a novel zero-day. Instead, the perpetrators executed a coordinated social engineering campaign that compromised the devices of at least three multisig signers. Radiant Capital employed an 11-signer governance multisig with a 3-of-11 threshold — meaning only three signatures were needed to approve any transaction, including ownership transfers of critical protocol contracts.
The timeline reveals surgical precision. At 2:47 PM UTC on October 16, the first malicious transaction appeared on the multisig queue. By 2:51 PM, the attacker had deployed a custom attack contract. At 2:53 PM, the multisig transaction executed, transferring admin control of lending pool contracts across Arbitrum, Binance Smart Chain, and Ethereum to the attacker. Over the next 18 minutes — from 2:54 PM to 3:12 PM — the attacker drained liquidity pools in a methodical pattern, interspersing large withdrawals with smaller transactions to avoid triggering automated monitoring systems.
Post-incident forensic analysis revealed that the attackers had planted targeted malware on the devices of at least three signers. This malware likely allowed the attackers to see transaction details, inject malicious payloads, and possibly even simulate legitimate Safe interfaces to deceive signers into believing they were approving routine protocol upgrades.
Affected Systems
The attack spanned three blockchain networks simultaneously. On Arbitrum, the attacker drained major lending pools that held wrapped Bitcoin, Ethereum, and stablecoin deposits. On BSC, similar pools were emptied. The Ethereum mainnet pools were also hit, though the bulk of the $53 million was extracted from the Arbitrum deployment, where Radiant had concentrated much of its liquidity.
The affected contracts included the core lending pool implementations that managed user deposits, borrow positions, and interest rate calculations. By gaining admin control, the attacker could bypass all normal protocol safeguards — collateralization requirements, withdrawal limits, and health factor checks — effectively treating user deposits as freely withdrawable funds.
The broader October 2024 hacking landscape compounds the concern. According to blockchain security firm PeckShield, the cryptocurrency sector suffered approximately $88.47 million in losses across 20 separate incidents during October alone. The Radiant Capital exploit represented over 60 percent of that total. Other notable incidents included a $5.7 million exploit on EigenLayer and a $4.7 million attack on Tapioca Foundation through a compromised private key.
The Mitigation Strategy
In the aftermath, the DeFi security community rallied around several critical recommendations that should have been standard practice before the attack. The most glaring failure was the multisig threshold configuration. A 3-of-11 threshold controlling over $300 million in total value locked is indefensible by any security standard. Industry best practice demands a minimum 60 percent threshold for protocol-critical operations — at least 7-of-11 for Radiant’s signer configuration.
The absence of a timelock mechanism proved equally devastating. The malicious transaction executed the instant it received the third signature. A 24-to-48 hour delay on critical operations such as ownership transfers would have given the Radiant team and community monitors time to detect the suspicious activity and initiate an emergency response. Several leading protocols, including Compound and Uniswap, have long implemented timelocks precisely for this reason.
Hardware wallet requirements for all multisig signers represent another essential mitigation. The fact that signer devices could be compromised through malware indicates that at least some signers were using software-based wallets or browser extensions on daily-use machines. Dedicated hardware wallets — used exclusively for protocol signing operations — would have significantly raised the difficulty bar for the attackers.
Lessons Learned
The Radiant Capital exploit demonstrates that smart contract audits, while necessary, are far from sufficient. Radiant’s code had been audited by multiple reputable firms, and the attack did not exploit any code vulnerability. The failure was operational — the human and process layer surrounding the technology. This distinction between code security and operational security is one that many protocols have yet to internalize.
The attack also highlights the growing sophistication of threat actors targeting DeFi protocols. This was not an opportunistic script kiddie scanning for low-hanging fruit. The level of coordination required to compromise multiple signer devices, time the attack across three chains, and evade monitoring systems for 18 minutes suggests a well-resourced, potentially state-sponsored threat group.
For users, the lesson is equally stark. Even protocols with audited code and seemingly robust governance structures can fail catastrophically if the operational security layer is weak. Diversifying across protocols, monitoring governance activity, and maintaining awareness of timelock configurations on platforms where you deposit funds are no longer optional — they are essential survival practices.
User Action Required
If you had funds deposited in Radiant Capital pools on Arbitrum, BSC, or Ethereum at the time of the October 16 attack, you should immediately check your positions and any communications from the Radiant team regarding fund recovery plans. For all DeFi users, regardless of platform, review the multisig configurations and timelock policies of any protocol where you maintain deposits. Protocols that cannot clearly articulate their signer threshold, timelock duration, and hardware wallet policies should be treated with heightened caution. The difference between a 3-of-11 multisig and a 7-of-11 multisig with a 48-hour timelock could be the difference between your funds being safe and your funds being gone.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
18 minutes. $53 million gone in 18 minutes. and an 11 signer multisig with only a 3-of-11 threshold? thats basically a 3-of-3 pretending to be decentralized
The social engineering angle is what makes this scary. No smart contract bug, no flash loan attack. Just old fashioned device compromise.
device compromise via malware is the new flash loan attack. harder to audit against because it targets humans not code
I warned people about low-threshold multisigs in 2022. Nobody listens until $53M walks out the door.
3-of-11 is just negligence at that point. no excuse for not requiring at least 7 signers on a protocol holding 9 figures
exactly. even gnosis safe recommends higher thresholds for treasuries this size. the tools were there, they just didnt use them
the real question is why any protocol with 9 figures TVL settles for minimum threshold. laziness or incompetence, pick one
3-of-11 on a protocol holding 9 figures is wild. changing the threshold to 7-of-11 takes one governance vote and nobody did it until after losing 53 million
Dolores P. one governance vote to save 53M and nobody pushed for it. thats not bad luck, thats negligence dressed up as decentralization
deployed at 2:47, funds gone by 2:53. 6 minutes from first tx to completion. the attacker had probably been preparing for weeks
bakasura_ 6 minutes from first tx to draining 53M means they had the attack contract ready before the multisig vote. weeks of prep for a 6 minute execution
compromising 3 separate signer devices across different locations is wild. someone spent months planning this and nobody at radiant noticed anything off
3-of-11 multisig threshold meant compromising just three devices out of eleven. the convenience vs security tradeoff killed $53M in 18 minutes flat
social engineering three separate signers across different locations means this was a coordinated campaign not a quick hack. the tradecraft here was state-level