defirisk.co
rubric v1.7.0

Radiant Capital: Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain

An attacker compromised 3 of Radiant Capital's 11 multisig keys, used them to transfer lending pool ownership to a malicious contract deployed 14 days earlier, and drained $53M — all while the team stayed silent for 2 hours.

Occurred 2024-10-16 Loss $53M Status closed

Summary #

Radiant Capital suffered a Lending / Money Market (Aave fork) on 2024-10-16, resulting in a loss of approximately $53M.

What happened #

An attacker compromised 3 of Radiant Capital's 11 multisig keys, used them to transfer lending pool ownership to a malicious contract deployed 14 days earlier, and drained $53M — all while the team stayed silent for 2 hours.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade was the attack vector; but the underlying contract's upgrade mechanism was a design feature] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade was the attack vector; but the underlying contract's upgrade mechanism was a design feature]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — multisig transactions transferring pool ownership and upgrading implementation were the exploit itself]
  • RD-F-028 — causal : ★ Low-threshold multisig vs TVL [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers] || ★ Low-threshold multisig vs TVL [via cross-hack: Factor 28: Insufficient Multisig Signing Threshold for TVL at Risk]
  • RD-F-030 — causal : Hot-wallet signer flag on multisig [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers]
  • RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — multisig transactions transferring pool ownership and upgrading implementation were the exploit itself]
  • RD-F-122 — related : Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
  • RD-F-125 — causal : ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Aave v2 fork]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade was the attack vector; but the underlying contract's upgrade mechanism was a design feature]