In a world of increasing digital reliance, the decentralized finance (defi) industry was rocked by a $50 million hack on October 16, leading to a massive drain in funds allocated to various projects. The attack targeted Radiant Capital, a decentralized cross-chain lending protocol built on Layerzero, and has raised concerns about the vulnerability of even the most robust defi projects.
Security experts and prominent developers have expressed their shock at the sophistication of the attack. @bantg, a notable figure in the defi community, lamented, “this level of attack is really scary. To my knowledge, the compromised signers have followed the best practices.”
An incident report by Radiant Capital and an X thread by OneKeyHQ provided a detailed account of the hack. The report identified the perpetrators as North Korean hackers, who initiated the attack on September 11.
The assault began with a Radiant Capital developer receiving a Telegram message from someone posing as a trusted former contractor seeking a new job opportunity in smart contract audits. The impersonator provided a link to a compressed PDF detailing their next assignment and even replicated the contractor’s legitimate website to enhance their credibility.
The zip file concealed an executable named INLETDRIFT, which, once opened, installed malware on the developer’s macOS device, enabling the attackers to infiltrate the developer’s system. This malware was designed to communicate with a hacker-controlled server.
The compromised file was unwittingly shared among the team, spreading the malware further. The attackers then launched a man-in-the-middle (MITM) attack, manipulating transaction data and misleading developers into believing that transactions were legitimate. In reality, the hackers replaced the transactions with malicious instructions aimed at seizing the ownership of lending pool contracts.
In less than three minutes, the hackers drained the funds, removed backdoors, and erased evidence of their activities, leaving investigators with scant evidence to piece together the puzzle.
This attack underscores the escalating threat of cybercrimes, as demonstrated in the DMM bitcoin breach that led to the closure of a Japanese crypto exchange. It also underscores the importance of adopting online collaboration tools to reduce malware risks and the need to avoid downloading unverified files, particularly from external sources.
Front-end transaction verification is vital but susceptible to spoofing. Therefore, projects should consider advanced verification tools and supply chain monitoring to detect tampering. Moreover, hardware wallets often lack detailed transaction summaries, increasing risk. Enhanced support for multi-sig transactions could mitigate this issue.
Asset governance can be strengthened with timelocks and governance frameworks, which can delay critical fund transfers, enabling teams to identify and respond to anomalies before assets are lost.
The Radiant Capital hack serves as a harsh reminder of the persistent vulnerabilities in defi projects, even those adhering to best practices. As the defi ecosystem expands, so too does the inventiveness of attackers. Industry-wide vigilance, stringent security protocols, and robust asset governance are vital to prevent such incidents in the future.
Radiant DAO is currently assisting Mandiant in its investigation, cooperating with Zeroshadow and U.S. law authorities to freeze stolen assets. Radiant has also expressed its commitment to sharing the lessons learned from this incident to help elevate security standards across the industry.
