The decentralized finance ecosystem is reeling from one of the most sophisticated attacks in its history after Radiant Capital lost over $50 million in a carefully orchestrated exploit that targeted the protocol’s hardware wallet infrastructure. The breach, which occurred on October 16, 2024, across BNB Chain and Arbitrum networks, represents a chilling evolution in how threat actors are bypassing traditional security measures.
The Exploit Mechanics
What makes the Radiant Capital breach particularly alarming is the attack vector: the hackers didn’t exploit a smart contract vulnerability. Instead, they compromised the hardware wallets of long-term developers by injecting malware into their systems. According to the project’s post-mortem, the attackers managed to manipulate transaction signatures at the device level, meaning even a hardware wallet — long considered the gold standard of crypto security — couldn’t prevent unauthorized transfers.
The attackers specifically targeted a 3-of-11 multisig wallet configuration. By compromising multiple signers’ devices, they were able to inject malicious code that altered transaction payloads before they were broadcast to the network. The developers believed they were signing routine protocol upgrades, while the actual transactions drained liquidity pools of ETH, USDC, and other assets worth over $50 million at the time.
With Bitcoin trading at approximately $72,720 and Ethereum at $2,638 on October 29, 2024, the stolen funds represent a substantial loss for the DeFi community. Blockchain analytics firms have attributed the attack to a North Korean-affiliated threat group known for targeting cryptocurrency projects through social engineering campaigns.
Affected Systems
The attack impacted Radiant Capital’s lending and borrowing markets on both Arbitrum and BNB Chain. Users who had supplied liquidity to these pools faced immediate exposure, as the drained contracts could no longer honor withdrawal requests at full value. The exploit also triggered cascading effects across integrated DeFi protocols that relied on Radiant’s markets for pricing and liquidity.
The multisig compromise exposed a fundamental weakness in how DeFi protocols manage administrative access. Even though Radiant employed a distributed signing model designed to prevent single points of failure, the attackers’ ability to compromise multiple signers simultaneously rendered the protection ineffective. Over 5,500 wallets were eventually identified as still holding compromised token approvals related to the exploit, requiring urgent revocation.
The Mitigation Strategy
In the aftermath, Radiant Capital’s team worked with blockchain security firms and on-chain investigators to trace the stolen funds. The protocol implemented emergency measures including pausing affected markets and conducting a comprehensive audit of all administrative access paths. Security researchers recommended that all DeFi protocols transition to more robust signing mechanisms, including transaction simulation before execution and multi-device verification requirements.
The broader DeFi security community also issued guidance for users to immediately revoke any outstanding token approvals associated with the compromised Radiant contracts. Tools like Revoke.cash and Unrekt saw a significant spike in usage as users rushed to secure their wallets against potential follow-on exploits.
Lessons Learned
The Radiant Capital hack demonstrates that the weakest link in DeFi security is increasingly the human and device layer, not the smart contract code itself. Key lessons from this incident include: multisig configurations must be paired with independent device security audits; transaction simulation should be mandatory before signing any administrative action; and protocols should implement time-locks on large-value transactions to allow for community review and emergency intervention.
October 2024 saw approximately $118 million lost across multiple DeFi exploits, highlighting a concerning trend of increasingly sophisticated attacks targeting the operational infrastructure of decentralized protocols rather than their code.
User Action Required
If you have ever interacted with Radiant Capital contracts on Arbitrum or BNB Chain, you should immediately check and revoke any pending token approvals. Visit the official Radiant Capital channels for the specific contract addresses to avoid phishing sites. Moving forward, always verify transaction details in your wallet interface before signing, and consider using a dedicated device for high-value DeFi operations that is never used for browsing or email — the primary vectors for the malware that enabled this attack.disclaimer paragraph: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals before making decisions about your crypto assets.
hardware wallets being compromised at the device level is the nightmare scenario. if your hw wallet lies to you about what youre signing, nothing saves you
this is why the industry needs HSMs with verified boot chains, not consumer hw wallets running firmware that malware can patch
if your hw wallet firmware can be patched by malware on your PC, its not really cold storage is it. the whole point is airgapped signing
exactly. if the pc can push malicious firmware to the hw wallet, the airgap is theater. need devices that verify payloads independently
3-of-11 multisig and they still lost everything because the actual signing devices were owned. the security model assumes the hardware is trustworthy
3 of 11 multisig sounds safe on paper but if 3 signers all got malware on their machines its game over. the threshold model assumes independent failure which breaks down when the attack targets the same vector on all devices
the independent failure assumption is exactly what breaks when all signers use the same OS. diversity in signing environments matters more than the threshold number
tornado cash got sanctioned for less than what these attackers did moving 50M through mixers. watch the enforcement asymmetry play out
manipulating transaction payloads before broadcast means the signer saw a valid tx and approved it. this is a UI trust problem as much as a hardware one