Omnichain Money Market Exploit at Radiant Capital

Omnichain money market Radiant Capital appears to be experiencing an exploit, as indicated by on-chain evidence and findings from Web3 security firm Ancilia. The attack commenced on Wednesday afternoon targeting Radiant’s Ethereum Layer 2 Arbitrum instance before spreading to BNB Chain, according to data from Arkham Intelligence.

> "We have noticed several transferFrom transactions from users' accounts through contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had vulnerability functions,” Ancilia warned on X.

A transferFrom exploit leverages a smart contract's transferFrom function, allowing one account to send a specific number of tokens from a target account to a third account, usually requiring prior permission from the victim's account to interact with a fraudulent wallet address. Ancilia advises Radiant users to revoke all approvals for Radiant contract addresses as a precaution.

"Radiant Capital has fallen victim to a hack resulting in losses of $51 million across Arbitrum and BNB Chain. The Ethereum and Base deployments appear secure, but we advise caution when interacting with these contracts at this time," stated Tony Ke, security research lead at Fuzzland, in an interview with The Block.

According to Ancilia, a backdoor contract was deployed around 17:09 UTC on Wednesday, allowing the unknown attacker to gain unauthorized access and begin token transfers.

"Radiant employs a multisig setup for their smart contract controls, which seems to have been compromised internally," Ke remarked. This attack suggests either a phishing incident, a compromised computer, or an insider attack leading to leaks of Radiant's private keys.

"As we discover more details about how this happened, we will work alongside the Radiant team on any possible fund recovery efforts," Ke added.

The hacker has transferred wrapped tokens such as BNB, ETH, USDC, and USDT from a Radiant-controlled wallet to a single address starting with 0x0629b. That wallet presently has a BNB balance exceeding $5 million. Its account on DeBank shows a total balance of $51 million, highlighting a staggering increase in token holdings since its inception, indicating that the attack could be even more extensive.

The attacker's address contains over $32 million in Arbitrum-based assets and roughly $18 million in tokens on BNB Chain, with significant holdings in ETH derivatives like wstETH and weETH.

Earlier this year, Radiant Capital already suffered a flash loan attack, losing approximately 1,900 ETH, valued at $4.5 million.

Editor's note: Added context regarding the hack and quotes from Fuzzland's Tony Ke.