The decentralized finance ecosystem suffered a devastating blow when Radiant Capital, a prominent cross-chain lending protocol, lost $53 million in a sophisticated malware attack that compromised its multi-signature governance system. The incident, which sent shockwaves through the DeFi community, revealed alarming vulnerabilities in how even well-established protocols manage their most critical operations.
The Exploit Mechanics
On October 16, 2024, attackers executed a carefully orchestrated campaign against Radiant Capital’s 3-of-11 multi-signature wallet scheme. Rather than exploiting a smart contract vulnerability, the attackers deployed malware that manipulated the Safe wallet front end used by protocol signers. This social-engineering-meets-malware approach allowed the attacker to trick multiple authorized signers into approving malicious transactions they believed were legitimate protocol operations.
Once the attacker gained control of three signer devices, they upgraded Radiant’s Pool Provider contract to a malicious version. This upgraded contract granted the attacker access to user funds across multiple blockchain networks simultaneously. The cross-chain nature of the attack amplified the damage, as funds were drained from pools on several chains in quick succession before the team could respond.
The attack vector was particularly insidious because it bypassed conventional smart contract audits. The code itself was not flawed—instead, the human operators were compromised through carefully crafted malware that modified what they saw on their screens during the signing process.
Affected Systems
The breach impacted Radiant Capital’s lending and borrowing pools across multiple chains, including Arbitrum and Binance Smart Chain. Users who had supplied assets to these pools found their positions drained as the attacker leveraged the compromised Pool Provider contract to withdraw funds at will. The total loss reached $53 million in various crypto assets.
With Bitcoin trading near $75,900 and Ethereum around $2,895 on November 7, the broader crypto market remained in a bullish post-election rally, which somewhat masked the severity of the DeFi-specific incident. However, the attack underscored a systemic risk that extends far beyond Radiant Capital: any protocol relying on multi-signature governance is potentially vulnerable to the same attack pattern.
The Mitigation Strategy
Security researchers analyzing the incident identified several critical improvements that could have prevented or limited the damage. First, the use of dedicated, air-gapped devices for transaction signing would have prevented the malware from reaching signer machines in the first place. When operators use the same devices for daily browsing and critical protocol governance, they expose their signing authority to the full spectrum of web-based threats.
Second, the 3-of-11 threshold was dangerously low given the size of the signer pool. With 11 authorized signers, an attacker needed to compromise only three devices—a success rate of roughly 27 percent. A higher threshold, such as 6-of-11 or even 7-of-11, would have made the attack exponentially more difficult to execute.
Third, automated monitoring systems that flag repeated transaction failures could have halted the attack in its tracks. The Radiant exploit involved multiple failed transaction attempts before the attacker succeeded. A system that automatically pauses operations after a configurable number of failures would have bought the team critical time to investigate.
Lessons Learned
The Radiant Capital exploit serves as a stark reminder that DeFi security extends well beyond smart contract code. The weakest link in the chain proved to be the human operators and their endpoint security. Protocols must treat the operational security of their signer devices with the same rigor they apply to code audits and formal verification.
For users, the incident highlights the importance of understanding how protocols govern themselves. Before depositing funds into any DeFi platform, investors should research the protocol’s multi-signature configuration, the security practices of its signers, and whether dedicated hardware is used for governance operations.
User Action Required
If you had funds deposited in Radiant Capital pools at the time of the breach, monitor the protocol’s official communication channels for recovery plans and potential compensation distributions. For all DeFi users, take this moment to review your own security practices: use hardware wallets for large holdings, verify transaction details before signing, and diversify your deposits across multiple protocols to limit exposure to any single point of failure. The $53 million lost in this attack could have been prevented with operational security measures that cost a fraction of that amount to implement.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
3-of-11 multisig and they still got owned. the malware angle is terrifying because no amount of smart contract auditing catches that
exactly, and the Safe wallet front end was compromised too. air-gapped signing is the only real fix for this
solana_sam 3-of-11 sounds safe until you realize the malware showed legitimate looking transactions on screen while sending different ones underneath. the UI lied to the signers
ledger_lord_ the UI lying to signers is the real nightmare. you cant audit your way out of a compromised front end showing you fake data
$53M gone because someone clicked a bad link on their signer device. Hardware wallets for multisig signers should be mandatory, not optional.
The cross-chain aspect made it worse. Once they upgraded the Pool Provider contract, funds on every chain were exposed simultaneously. Single point of failure across multiple networks.
Karen M. the cross-chain cascade is what made this so bad. one compromised contract drained funds on arbitrum, bsc, and ethereum simultaneously. no chain was safe
Tatiana Volkov one contract upgrade draining funds on arbitrum bsc and ethereum at the same time. the cross-chain composability that everyone celebrates is also the attack multiplier
Andrea F. hardware wallets for multisig signers should be mandatory. the cost of 11 hardware wallets vs a $53M loss is not a hard calculation
3 of 11 multisig defeated by malware that showed fake transactions on screen. the signers literally approved transactions that looked fine but drained 53M across multiple chains