Radiant Capital Gnosis Safe Wallet Malware

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Radiant Capital Logo/Homepage

Radiant Capital is a decentralized autonomous organization which has a goal to unify fragmented liquidity across various money market protocols. Users who provide their capital can expect to earn a portion of the generated fees. Radiant Capital thought it would be a good idea to manage routine smart contract transactions through blind signing on hardware wallets with full permissions. Attackers reportedly "exploited multiple developers' hardware wallets through a highly advanced malware injection". Radiant Capital has thus far released a post-mortem report and there haven't yet been any discussions on recovery for users, other than from tracing down the funds, thus far.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About Radiant Capital

"The Radiant DAO’s mission is to unify the billions in fragmented liquidity across Web3 money markets under one safe, user-friendly, capital-efficient omnichain protocol."

"Earn Interest & Borrow Assets Cross-Chain, Seamlessly" "Dynamic liquidity providers share platform fees captured in blue-chip assets"

"Battle-tested and audited by multiple leading security firms. Radiant's security is of the highest priority."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"Radiant Capital's future has dimmed following" "devastating attack that drained over $53 million from user wallets."

Key Event Timeline - Radiant Capital Gnosis Safe Wallet Malware
Date Event Description
October 16th, 2024 11:09:18 AM MDT Arbitrum Exploit Transaction A transaction exploits to transfer ownership of the Arbitrum smart contract to the attacker.
October 16th, 2024 11:11:00 AM MDT BNB Back Door Smart Contract According to Ancilia, this is the time when a backdoor smart contract was deployed to drain funds.
October 16th, 2024 11:35:00 AM MDT Ancilia Mentions Exploit Ancilia Inc. notes that there are several transfers from the contracts and warns users to revoke approvals to Radiant Capital quickly.
October 16th, 2024 12:24:00 PM MDT Ancilia Mentions Arbitrum Ancilia acknowledges that there was an attack on the ARbitrum blockchain as well.
October 16th, 2024 1:27:00 PM MDT Radiant Capital Acknowledgement Radian Capital acknowledges the exploit on Binance Smart Chain and Arbitrum blockchains. They report to be "working with SEAL911, Hypernative, ZeroShadow & Chainalysis". They have also reportedly paused markets on base and mainnet.
October 16th, 2024 1:30:00 PM MDT Revoke Approvals Assistance Scammers set up a phishing site to help users who want to revoke approvals have less assets to worry about going forward.
October 16th, 2024 4:04:00 PM MDT Real Revoke Instructions Radiant Capital provides instructions for users to revoke approvals to 4 exploited contracts via the commonly used website revoke.cash.
October 17th, 2024 9:54:00 AM MDT Rekt Investigation Posted Rekt posts their investigation on their website and on Twitter.
October 17th, 2024 9:26:00 PM MDT Public Statement Released The Radiant Capital team releases a public statement highlighting the vulnerability and how the legitimate transaction data showed up in their Gnosis Safe wallets. Their team believed they were signing a legitimate transaction and performed all checks that they typically would, including
October 17th, 2024 9:43:00 PM MDT FBI To US Law Enforcement Radiant Capital updates their post to replace "FBI" with US law enforcement. It is unclear if the FBI was the agency informed or not.

Technical Details

Attackers reportedly "exploited multiple developers' hardware wallets through a highly advanced malware injection". The breach reportedly "occurred during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to market conditions and utilization rates."

"Front-end verification of all three multi-signature transactions showed no signs of compromise, aside from Safe App transaction resubmissions due to failures. It is important to highlight that resubmitting Safe transactions due to failures is a common and expected occurrence. Transactions submitted on the Safe front-end can fail due to gas price fluctuations, nonce mismatch, network congestion, insufficient gas limit, smart contract execution errors, token insufficiency, pending transactions, front-end synchronization issues, timeouts, or permission/signature errors in multi-signature setups. As a result, this behavior did not raise immediate suspicion. The malicious actors exploited this normalcy, using the process to collect multiple compromised signatures over several attempts, all while mimicking the appearance of routine transaction failures."

"To underscore the significance of this point, the compromise was completely undetectable during the manual review of the Gnosis Safe UI and Tenderly simulation stages of the routine transaction. This has been confirmed by external security teams, including @_SEAL_Org and @HypernativeLabs."

"Compromised wallets 0x20340c2a71055FD2887D9A71054100FF7F425BE5 (Ledger hardware wallet managed via Rabby) 0x83434627e72d977af18F8D2F26203895050eF9Ce (Ledger hardware wallet managed via Rabby) 0xbB67c265e7197A7c3Cd458F8F7C1d79a2fb04d57 (Trezor hardware wallet managed via Frame) Admin multisig wallets and signature threshold (at time of exploit) Ethereum: 0x0235a22a38Dd09291800e097bD2ebE6e3b4d5F04 (3/9) BSC Chain: 0xE4714D6BD9a6c0F6194C1aa8602850b0a1cE1416 (3/11) Base: 0xBBf7eDF92926b775A434f9DF15860f4CD268B0A0 (3/9) Arbitrum: 0x111CEEee040739fD91D29C34C33E6B3E112F2177 (3/11) Known attackers wallets 0x0629b1048298AE9deff0F4100A31967Fb3f98962 (Main attacker) 0x57ba8957ed2ff2e7ae38f4935451e81ce1eefbf5 (Main attack contract) 0x911215CF312a64C128817Af3c24B9fDF66B7Ac95 (Testing address) 0x97a05becc2e7891d07f382457cd5d57fd242e4e8 (Laundering address) 0x9c5939AAC4f65A0eA233E657507C7b54acDE2841 (Laundering address) 0x8B75E47976C3C500D0148463931717001F620887 (Funds consolidated on Arb + Eth) 0xcF47c058CC4818CE90f9315B478EB2f2d588Cc78 (Funds consolidated on BSC) 0xa0e768a68ba1bfffb9f4366dfc8d9195ee7217d1 (GMX interactions / swaps) 0xc24927Bd40Bab67CcfB2ca0A90d6cbB8Edb21302 (Approvals drainer on Arbitrum) 0x579145D6d1F26a460d9BDD3040C37517dac379ac (Approvals drainer on BSC) 0xC4173a794122644870C8fd07c226acF992507897 (Approvals drainer on BSC + ARB) 0x3D4C56cdB97355807157F5C7d4F54957f0E9af44 (Contract created on 17th October) 0x3c09Ae8571db07a3347c1D577BB9a54F96bFfa24 (Contract created on 17th October) 0xbc20e84d80a684dAEa4468be6F199a233A3d2363 (Test contract) 0x5eb63694A18B618C4EbDd9CA3333fa7f9b8B9cB4 (Related to test contract) 0xD899F3d8ff2A723642d5C55eD1998713C530b7b3 (Related to test contract)"

Total Amount Lost

53m or 48m or 50m depending on source?

The total amount lost has been estimated at $53,000,000 USD.

Immediate Reactions

"#ancilia_alerts It seems like something happen with @RDNTCapital contract on BSC. We have noticed several transferFrom user's account through the contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had vulnerability functions."

Ultimate Outcome

"Radiant Capital has been working very closely with Seal911 and Hypernative and has since implemented stronger multisig controls. The U.S. law enforcement and @zeroshadow_io are fully informed of the breach and are actively working to freeze all stolen assets. The DAO is deeply devastated by this attack and will continue to work tirelessly with the respective agencies to identify the exploiter and recover the stolen funds as quickly as possible."

"The DAO has been working very closely with U.S. law enforcement and ZeroShadow and maintain an excellent relationship with both groups. They are fully informed of the breach and are actively working to freeze all stolen assets. The DAO is deeply devastated by this attack and will continue to remain available 24/7 to assist the respective agencies working to identify the exploiter and recover the stolen funds as quickly as possible."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Radiant Capital - Rekt II (Accessed Oct 18, 2024)
  2. https://archive.ph/XWAUF (Accessed Oct 18, 2024)
  3. Radiant (Accessed Oct 18, 2024)
  4. @RektHQ Twitter (Accessed Oct 18, 2024)
  5. @AnciliaInc Twitter (Accessed Oct 18, 2024)
  6. BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Oct 18, 2024)
  7. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Oct 18, 2024)
  8. @AnciliaInc Twitter (Accessed Oct 18, 2024)
  9. @RDNTCapitail Twitter (Accessed Oct 18, 2024)
  10. Introducing Radiant v2 | Radiant 2.0 (Accessed Oct 18, 2024)
  11. @RDNTCapital Twitter (Accessed Oct 18, 2024)
  12. @RDNTCapital Twitter (Accessed Oct 18, 2024)
  13. @RDNTCapital Twitter (Accessed Oct 18, 2024)
  14. @RDNTCapital Twitter (Accessed Oct 18, 2024)
  15. HOME | zeroShadow (Accessed Oct 18, 2024)
  16. Safe{Wallet} – Welcome (Accessed Oct 18, 2024)
  17. Radiant Capital Post-Mortem. Events Summary | by Radiant Capital | Oct, 2024 | Medium (Accessed Oct 18, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Radiant_Capital_Gnosis_Safe_Wallet_Malware&oldid=6227"