Background introduction
On October 17, 2024, we detected an attack on BNB Smart Chain. The project attacked was RadiantCapital. The attack transaction was: https://bscscan.com/tx/0xd97b93f633aee356d992b49193e60a571b8c466bf46aaf072368f975dc11841c
This attack caused a total loss of 50M USD. Radiant Capital is a cross-chain DeFi lending protocol that uses LayerZero as a cross-chain infrastructure to achieve full-chain leveraged lending and composability.
Attack and incident analysis
The attack is mainly divided into three steps:
The first step: attack the core personnel of the project, causing three core personnel to sign malicious transactions (the previous owner of the project used multi-signatures) and change the owner permissions of the project;
Step 2: After the attacker has the Owner permission, he changes the implement of Radiant’s lending pool to the attacker’s attack contract (0xf0c0a1a19886791c2dd6af71307496b1e16aa232)
Step 3: The attacker calls the proxy contract of the Radiant lending pool. The proxy contract calls the attack contract. The attack contract uses transferUnderlyingTo to transfer the assets in the lending pool to the attack address to complete the attack.
It is understood that the root cause of this attack is that the hardware wallets of the three core developers were hacked. The normal and compliant signatures displayed on the front end of the hardware wallets were actually signed by the hackers themselves. When the three core developers signed, the attack was completed.
Summary
The main reason for this attack was that Radiant’s core staff lacked security awareness, which led to the attacker constructing a fake front-end to deceive the core staff into signing an attack transaction. As a result, the attacker obtained the owner permission of the Radiant lending pool and transferred all the assets in the lending pool. It is recommended that the project party conduct network security awareness training for the core staff of the project to enhance their security awareness.
