<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?action=history&amp;feed=atom&amp;title=Radiant_Capital_Gnosis_Safe_Wallet_Malware</id>
	<title>Radiant Capital Gnosis Safe Wallet Malware - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?action=history&amp;feed=atom&amp;title=Radiant_Capital_Gnosis_Safe_Wallet_Malware"/>
	<link rel="alternate" type="text/html" href="https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Radiant_Capital_Gnosis_Safe_Wallet_Malware&amp;action=history"/>
	<updated>2026-07-14T17:54:35Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.39.1</generator>
	<entry>
		<id>https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Radiant_Capital_Gnosis_Safe_Wallet_Malware&amp;diff=6227&amp;oldid=prev</id>
		<title>Azoundria: Created page with &quot;{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/radiantcapitalgnosissafewalletmalware.php}} {{Unattributed Sources}}  Radiant Capital Logo/HomepageRadiant Capital is a decentralized autonomous organization which has a goal to unify fragmented liquidity across various money market protocols. Users who provide their capital can expect to earn a portion of the generated fees. Radiant Capital thought it w...&quot;</title>
		<link rel="alternate" type="text/html" href="https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Radiant_Capital_Gnosis_Safe_Wallet_Malware&amp;diff=6227&amp;oldid=prev"/>
		<updated>2024-10-18T19:04:03Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/radiantcapitalgnosissafewalletmalware.php}} {{Unattributed Sources}}  &lt;a href=&quot;/cryptocurrencyhackscamfraudwiki/index.php?title=File:Radiantcapital.jpg&quot; title=&quot;File:Radiantcapital.jpg&quot;&gt;thumb|Radiant Capital Logo/Homepage&lt;/a&gt;Radiant Capital is a decentralized autonomous organization which has a goal to unify fragmented liquidity across various money market protocols. Users who provide their capital can expect to earn a portion of the generated fees. Radiant Capital thought it w...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/radiantcapitalgnosissafewalletmalware.php}}&lt;br /&gt;
{{Unattributed Sources}}&lt;br /&gt;
&lt;br /&gt;
[[File:Radiantcapital.jpg|thumb|Radiant Capital Logo/Homepage]]Radiant Capital is a decentralized autonomous organization which has a goal to unify fragmented liquidity across various money market protocols. Users who provide their capital can expect to earn a portion of the generated fees. Radiant Capital thought it would be a good idea to manage routine smart contract transactions through blind signing on hardware wallets with full permissions. Attackers reportedly &amp;quot;exploited multiple developers' hardware wallets through a highly advanced malware injection&amp;quot;. Radiant Capital has thus far released a post-mortem report and there haven't yet been any discussions on recovery for users, other than from tracing down the funds, thus far.&amp;lt;ref name=&amp;quot;rektnews-16165&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;archive-16166&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;radiant-16167&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;rekthqtwitter-16168&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;anciliainctwitter-16169&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;bscscan-16170&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;arbiscan-16171&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;anciliainctwitter-16172&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;rdntcapitailtwitter-16173&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;radiantdocs-16174&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16175&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16176&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16177&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16178&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;zeroshadow-16179&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;safeapp-16180&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;radiantcapitalmedium-16181&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== About Radiant Capital ==&lt;br /&gt;
&amp;quot;The Radiant DAO’s mission is to unify the billions in fragmented liquidity across Web3 money markets under one safe, user-friendly, capital-efficient omnichain protocol.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
&amp;quot;Earn Interest &amp;amp; Borrow Assets Cross-Chain, Seamlessly&amp;quot; &amp;quot;Dynamic liquidity providers share platform fees captured in blue-chip assets&amp;quot;&lt;br /&gt;
&lt;br /&gt;
&amp;quot;Battle-tested and audited by multiple leading security firms. Radiant's security is of the highest priority.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== The Reality ==&lt;br /&gt;
This sections is included if a case involved deception or information that was unknown at the time. Examples include:&lt;br /&gt;
&lt;br /&gt;
* When the service was actually started (if different than the &amp;quot;official story&amp;quot;).&lt;br /&gt;
* Who actually ran a service and their own personal history.&lt;br /&gt;
* How the service was structured behind the scenes. (For example, there was no &amp;quot;trading bot&amp;quot;.)&lt;br /&gt;
* Details of what audits reported and how vulnerabilities were missed during auditing.&lt;br /&gt;
&lt;br /&gt;
== What Happened ==&lt;br /&gt;
&amp;quot;Radiant Capital's future has dimmed following&amp;quot; &amp;quot;devastating attack that drained over $53 million from user wallets.&amp;quot;&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|+Key Event Timeline - Radiant Capital Gnosis Safe Wallet Malware&lt;br /&gt;
!Date&lt;br /&gt;
!Event&lt;br /&gt;
!Description&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 11:09:18 AM MDT&lt;br /&gt;
|Arbitrum Exploit Transaction&lt;br /&gt;
|A transaction exploits to transfer ownership of the Arbitrum smart contract to the attacker.&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 11:11:00 AM MDT&lt;br /&gt;
|BNB Back Door Smart Contract&lt;br /&gt;
|According to Ancilia, this is the time when a backdoor smart contract was deployed to drain funds.&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 11:35:00 AM MDT&lt;br /&gt;
|Ancilia Mentions Exploit&lt;br /&gt;
|Ancilia Inc. notes that there are several transfers from the contracts and warns users to revoke approvals to Radiant Capital quickly.&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 12:24:00 PM MDT&lt;br /&gt;
|Ancilia Mentions Arbitrum&lt;br /&gt;
|Ancilia acknowledges that there was an attack on the ARbitrum blockchain as well.&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 1:27:00 PM MDT&lt;br /&gt;
|Radiant Capital Acknowledgement&lt;br /&gt;
|Radian Capital acknowledges the exploit on Binance Smart Chain and Arbitrum blockchains. They report to be &amp;quot;working with SEAL911, Hypernative, ZeroShadow &amp;amp; Chainalysis&amp;quot;. They have also reportedly paused markets on base and mainnet.&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 1:30:00 PM MDT&lt;br /&gt;
|Revoke Approvals Assistance&lt;br /&gt;
|Scammers set up a phishing site to help users who want to revoke approvals have less assets to worry about going forward.&lt;br /&gt;
|-&lt;br /&gt;
|October 16th, 2024 4:04:00 PM MDT&lt;br /&gt;
|Real Revoke Instructions&lt;br /&gt;
|Radiant Capital provides instructions for users to revoke approvals to 4 exploited contracts via the commonly used website revoke.cash.&lt;br /&gt;
|-&lt;br /&gt;
|October 17th, 2024 9:54:00 AM MDT&lt;br /&gt;
|Rekt Investigation Posted&lt;br /&gt;
|Rekt posts their investigation on their website and on Twitter.&lt;br /&gt;
|-&lt;br /&gt;
|October 17th, 2024 9:26:00 PM MDT&lt;br /&gt;
|Public Statement Released&lt;br /&gt;
|The Radiant Capital team releases a public statement highlighting the vulnerability and how the legitimate transaction data showed up in their Gnosis Safe wallets. Their team believed they were signing a legitimate transaction and performed all checks that they typically would, including&lt;br /&gt;
|-&lt;br /&gt;
|October 17th, 2024 9:43:00 PM MDT&lt;br /&gt;
|FBI To US Law Enforcement&lt;br /&gt;
|Radiant Capital updates their post to replace &amp;quot;FBI&amp;quot; with US law enforcement. It is unclear if the FBI was the agency informed or not.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== Technical Details ==&lt;br /&gt;
Attackers reportedly &amp;quot;exploited multiple developers' hardware wallets through a highly advanced malware injection&amp;quot;. The breach reportedly &amp;quot;occurred during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to market conditions and utilization rates.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
&amp;quot;Front-end verification of all three multi-signature transactions showed no signs of compromise, aside from Safe App transaction resubmissions due to failures. It is important to highlight that resubmitting Safe transactions due to failures is a common and expected occurrence. Transactions submitted on the Safe front-end can fail due to gas price fluctuations, nonce mismatch, network congestion, insufficient gas limit, smart contract execution errors, token insufficiency, pending transactions, front-end synchronization issues, timeouts, or permission/signature errors in multi-signature setups. As a result, this behavior did not raise immediate suspicion. The malicious actors exploited this normalcy, using the process to collect multiple compromised signatures over several attempts, all while mimicking the appearance of routine transaction failures.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
&amp;quot;To underscore the significance of this point, the compromise was completely undetectable during the manual review of the Gnosis Safe UI and Tenderly simulation stages of the routine transaction. This has been confirmed by external security teams, including @_SEAL_Org and @HypernativeLabs.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
&amp;quot;Compromised wallets&lt;br /&gt;
0x20340c2a71055FD2887D9A71054100FF7F425BE5 (Ledger hardware wallet managed via Rabby)&lt;br /&gt;
0x83434627e72d977af18F8D2F26203895050eF9Ce (Ledger hardware wallet managed via Rabby)&lt;br /&gt;
0xbB67c265e7197A7c3Cd458F8F7C1d79a2fb04d57 (Trezor hardware wallet managed via Frame)&lt;br /&gt;
Admin multisig wallets and signature threshold (at time of exploit)&lt;br /&gt;
Ethereum: 0x0235a22a38Dd09291800e097bD2ebE6e3b4d5F04 (3/9)&lt;br /&gt;
BSC Chain: 0xE4714D6BD9a6c0F6194C1aa8602850b0a1cE1416 (3/11)&lt;br /&gt;
Base: 0xBBf7eDF92926b775A434f9DF15860f4CD268B0A0 (3/9)&lt;br /&gt;
Arbitrum: 0x111CEEee040739fD91D29C34C33E6B3E112F2177 (3/11)&lt;br /&gt;
Known attackers wallets&lt;br /&gt;
0x0629b1048298AE9deff0F4100A31967Fb3f98962 (Main attacker)&lt;br /&gt;
0x57ba8957ed2ff2e7ae38f4935451e81ce1eefbf5 (Main attack contract)&lt;br /&gt;
0x911215CF312a64C128817Af3c24B9fDF66B7Ac95 (Testing address)&lt;br /&gt;
0x97a05becc2e7891d07f382457cd5d57fd242e4e8 (Laundering address)&lt;br /&gt;
0x9c5939AAC4f65A0eA233E657507C7b54acDE2841 (Laundering address)&lt;br /&gt;
0x8B75E47976C3C500D0148463931717001F620887 (Funds consolidated on Arb + Eth)&lt;br /&gt;
0xcF47c058CC4818CE90f9315B478EB2f2d588Cc78 (Funds consolidated on BSC)&lt;br /&gt;
0xa0e768a68ba1bfffb9f4366dfc8d9195ee7217d1 (GMX interactions / swaps)&lt;br /&gt;
0xc24927Bd40Bab67CcfB2ca0A90d6cbB8Edb21302 (Approvals drainer on Arbitrum)&lt;br /&gt;
0x579145D6d1F26a460d9BDD3040C37517dac379ac (Approvals drainer on BSC)&lt;br /&gt;
0xC4173a794122644870C8fd07c226acF992507897 (Approvals drainer on BSC + ARB)&lt;br /&gt;
0x3D4C56cdB97355807157F5C7d4F54957f0E9af44 (Contract created on 17th October)&lt;br /&gt;
0x3c09Ae8571db07a3347c1D577BB9a54F96bFfa24 (Contract created on 17th October)&lt;br /&gt;
0xbc20e84d80a684dAEa4468be6F199a233A3d2363 (Test contract)&lt;br /&gt;
0x5eb63694A18B618C4EbDd9CA3333fa7f9b8B9cB4 (Related to test contract)&lt;br /&gt;
0xD899F3d8ff2A723642d5C55eD1998713C530b7b3 (Related to test contract)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== Total Amount Lost ==&lt;br /&gt;
53m or 48m or 50m depending on source?&lt;br /&gt;
&lt;br /&gt;
The total amount lost has been estimated at $53,000,000 USD.&lt;br /&gt;
&lt;br /&gt;
== Immediate Reactions ==&lt;br /&gt;
&amp;quot;#ancilia_alerts It seems like something happen with @RDNTCapital contract on BSC. We have noticed several transferFrom user's account through the contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had vulnerability functions.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== Ultimate Outcome ==&lt;br /&gt;
&amp;quot;Radiant Capital has been working very closely with Seal911 and Hypernative and has since implemented stronger multisig controls. The U.S. law enforcement and @zeroshadow_io are fully informed of the breach and are actively working to freeze all stolen assets. The DAO is deeply devastated by this attack and will continue to work tirelessly with the respective agencies to identify the exploiter and recover the stolen funds as quickly as possible.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The DAO has been working very closely with U.S. law enforcement and ZeroShadow and maintain an excellent relationship with both groups. They are fully informed of the breach and are actively working to freeze all stolen assets. The DAO is deeply devastated by this attack and will continue to remain available 24/7 to assist the respective agencies working to identify the exploiter and recover the stolen funds as quickly as possible.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== Total Amount Recovered ==&lt;br /&gt;
There do not appear to have been any funds recovered in this case.&lt;br /&gt;
&lt;br /&gt;
What funds were recovered? What funds were reimbursed for those affected users?&lt;br /&gt;
&lt;br /&gt;
== Ongoing Developments ==&lt;br /&gt;
What parts of this case are still remaining to be concluded?&lt;br /&gt;
== Individual Prevention Policies ==&lt;br /&gt;
{{Prevention:Individuals:Placeholder}}&lt;br /&gt;
&lt;br /&gt;
{{Prevention:Individuals:End}}&lt;br /&gt;
&lt;br /&gt;
== Platform Prevention Policies ==&lt;br /&gt;
{{Prevention:Platforms:Placeholder}}&lt;br /&gt;
&lt;br /&gt;
{{Prevention:Platforms:End}}&lt;br /&gt;
&lt;br /&gt;
== Regulatory Prevention Policies ==&lt;br /&gt;
{{Prevention:Regulators:Placeholder}}&lt;br /&gt;
&lt;br /&gt;
{{Prevention:Regulators:End}}&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;ref name=&amp;quot;rektnews-16165&amp;quot;&amp;gt;[https://rekt.news/radiant-capital-rekt2/ Rekt - Radiant Capital - Rekt II] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;archive-16166&amp;quot;&amp;gt;[https://archive.ph/XWAUF https://archive.ph/XWAUF] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;radiant-16167&amp;quot;&amp;gt;[https://radiant.capital/ Radiant] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;rekthqtwitter-16168&amp;quot;&amp;gt;[https://twitter.com/RektHQ/status/1846942869799469566 @RektHQ Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;anciliainctwitter-16169&amp;quot;&amp;gt;[https://twitter.com/AnciliaInc/status/1846605867753591002 @AnciliaInc Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;bscscan-16170&amp;quot;&amp;gt;[https://bscscan.com/tx/0xd97b93f633aee356d992b49193e60a571b8c466bf46aaf072368f975dc11841c BNB Smart Chain Transaction Hash (Txhash) Details | BscScan] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;arbiscan-16171&amp;quot;&amp;gt;[https://arbiscan.io/tx/0x7856552db409fe51e17339ab1e0e1ce9c85d68bf0f4de4c110fc4e372ea02fb1 Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;anciliainctwitter-16172&amp;quot;&amp;gt;[https://twitter.com/AnciliaInc/status/1846618258163761551 @AnciliaInc Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;rdntcapitailtwitter-16173&amp;quot;&amp;gt;[https://twitter.com/RDNTCapitail/status/1846634774674514326 @RDNTCapitail Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;radiantdocs-16174&amp;quot;&amp;gt;[https://docs.radiant.capital/radiant/radiantv2 Introducing Radiant v2 | Radiant 2.0] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16175&amp;quot;&amp;gt;[https://twitter.com/RDNTCapital/status/1846634050100039881 @RDNTCapital Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16176&amp;quot;&amp;gt;[https://twitter.com/RDNTCapital/status/1847116913672868018 @RDNTCapital Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16177&amp;quot;&amp;gt;[https://twitter.com/RDNTCapital/status/1846673545973432333 @RDNTCapital Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;rdntcapitaltwitter-16178&amp;quot;&amp;gt;[https://twitter.com/RDNTCapital/status/1847121278974480779 @RDNTCapital Twitter] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;zeroshadow-16179&amp;quot;&amp;gt;[https://www.zeroshadow.io/ HOME | zeroShadow] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;safeapp-16180&amp;quot;&amp;gt;[https://app.safe.global/welcome Safe{Wallet} – Welcome] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;ref name=&amp;quot;radiantcapitalmedium-16181&amp;quot;&amp;gt;[https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081 Radiant Capital Post-Mortem. Events Summary | by Radiant Capital | Oct, 2024 | Medium] (Accessed Oct 18, 2024)&amp;lt;/ref&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Azoundria</name></author>
	</entry>
</feed>