The Radiant Capital Hack: How FailSafe Protects Protocols Against Sophisticated Attacks

The Most Sophisticated Attack of 2024

On October 16, 2024, Radiant Capital experienced its second major security breach of the year, resulting in the loss of over $50 million in user funds. Widely regarded as one of the most sophisticated attacks of 2024, the operation began on September 11, when a threat actor impersonating a former contractor contacted a Radiant developer via Telegram, deploying malware that ultimately enabled the takeover of protocol contracts. In this article, we provide a detailed technical breakdown of the attack and demonstrate how FailSafe, the industry’s leading threat monitoring and response solution, could have detected and stopped the attack.

Technical Breakdown & Timeline

1. A Telegram Message on September 11, 2024 (35 Days Before the Exploit):
   • The attack began when a Radiant developer received a Telegram message from a threat actor impersonating a former contractor, who was requesting feedback on a Penpie Hack Analysis. This message served as the initial phishing vector.
2. Delivery of Malware:
   • The threat actor sent a ZIP file over Telegram containing the decoy PDF of the Penpie Hack Analysis and macOS malware named INLETDRIFT. The malware granted the attacker backdoor access to multiple developer devices. Mandiant is confident that the malware originated from Democratic People’s Republic of Korea (DPRK).
3. The Attacker Deploys Malicious Contracts on October 2, 2024 (14 Days Before the Exploit):
   • The attacker deploys contracts on Arbitrum, BSC, Base, and Ethereum. The attackers avoided suspicion by funding the wallets weeks in advance without the obvious use of mixers like Tornado Cash. The contracts also didn’t exhibit signs of malicious intent.
4. Compromising the Safe{Wallet} UI on October 16, 2024 (Day of Exploit):
   • With access to compromised devices via malware, the attacker manipulated the Safe{Wallet} UI, presenting legitimate-looking transactions to collect the necessary signatures for malicious actions.
5. Changing Contract Ownership:
   • The attacker used the collected multi-signature approvals to authorize a transferOwnership action of legitimate protocol contracts to malicious versions.
6. Draining User Funds:
   • The attackers subsequently drained approximately $50 million USD from the core markets on Arbitrum and BSC. Additionally, they exploited open approvals to withdraw funds from users’ accounts.

FailSafe: Stopping the Attack

Real-Time Risk Monitoring: Detecting Contract Ownership Takeover

FailSafe’s Risk Monitoring System would have identified the proposed ownership change of Radiant’s Pool Provider contract—a key step in the attack. Upon detecting the unauthorized modification, FailSafe would have:

• Triggered Protective On-Chain Responses: Automatically initiating emergency actions, such as moving funds to cold storage or pausing vulnerable smart contracts, neutralizing the threat before it escalated.
• Alerting Key Personnel: Ensuring real-time notifications to stakeholders for validation, preventing malicious execution.

Access Control Guard: Enforcing Transaction Integrity

FailSafe’s Access Control Guard would have added a critical layer of defense on the Safe multisig wallet by enforcing granular controls on privileged transactions. Key features include:

• Signer and Device Verification: Enforce that privileged transactions (such as ownership changes) are signed only from a select set of signers, with pre-approved devices and IP ranges. Malware-compromised signers would have been flagged and blocked.
• Anomaly Detection: Identifying deviations from typical signing patterns or device behavior, preventing fake Safe UI transactions from slipping through unnoticed.
• Veto Malicious Transactions: Blocking unauthorized operations, such as the upgrade to malicious pool contracts.

Protect Your Protocol: Take Action Today

The Radiant Capital hack highlights the growing sophistication of blockchain threats and the need for cutting-edge security solutions. FailSafe’s monitoring, access controls, and real-time threat response provide the tools necessary to defend against these evolving threats, protecting protocols and user assets.