Radiant Capital Exploit: Key Lessons

Oct 24, 2024

Hey Team,

Mindset, CEXs, seed phrases, wallets, and isolating risk through address separation and cycling.

Since last edition, there have been several high profile exploits.

Unfortunately, one of those exploits was radiant capital.

Over $50M was stolen from users who deposited in the platform or had token approvals granted to Radiant smart contracts.

You can read the Radiant team’s port mortem here.

Radiant had a 3/11 multisig which controlled the dApp
The attacker compromised at least 3 devices in the multisig
The attacker transferred ownership of the lending pools to their malicious contract
The attacker then upgraded the lending pool contracts to drain user funds in the pools and also addresses that had granted token approvals to affected contracts

The attacker took control of the pool contract managing the platform’s lending pools. Users had granted token approvals to those contracts.

This meant that even some users that did not have funds deposited on the platform got drained if they had unmanaged approvals.

Mitigate exposure to smart contract risk
Further mitigate exposure to upgradable or proxy contracts
Revoke token approvals using apps like revoke.cash
Isolate risk. Reduce funds stored on addresses that contain any smart contract approvals
Cycle addresses and use dedicated HODL addresses that have no contract approvals

Questions about security? Read my part 1 guide and refer to the checklist below.

Industry Updates (Since Last Email)

Eigen Season 2 Airdrop Claim
OP token airdrop #5: wallet checker & tweet
- Note: you can check address eligibility without connecting your wallet to the website:
Unichain
- Flashbots rollup-boost
- TLDR by Cheeta
Telegram to provide data to government (IP address & phone number) upon request
Airdrop Magnets
- Solana announces Seeker (Next solana phone)
- dgen1 (Ethereum Phone)
World Liberty Fi Announces token sale
- Aave v3 mainnet proposal