Radiant Capital: The Malware-Induced "Blind Signing" Multi-Sig Exploit (October 2024 / February 2025)
In late 2024 and persisting into the early 2025 security post-mortem cycle, Radiant Capital suffered a $50 million to $58 million exploit targeting its multi-signature governance wallets. This incident is a landmark case in operational supply chain security, where the compromise occurred not in the smart contract code, but in the human-machine interface.
Technical Overviewβ
Radiant Capital utilized a multi-signature (SafeWallet) architecture requiring several signers to approve high-privilege actions, such as contract upgrades. While the Safe contracts are historically robust, the attack targeted the local execution environment of the signers' devices.
This was not a simple private key theft, but a coordinated malware injection designed to circumvent the visual verification process of multi-sig approvals.
Exploit Mechanism: Frontend vs. Firmware Deceptionβ
The attacker utilized sophisticated malware (potentially delivered via a compromised PDF or system update) to intercept the transaction signing flow on multiple developers' devices.
- Frontend Mirroring: When the developer initiated or reviewed a transaction in the SafeWallet web interface, the malware displayed legitimate transaction data (e.g., a routine interest rate update or pool configuration).
- Payload Replacement: In the background, the malware intercepted the transaction data being sent from the browser to the connected hardware wallet (e.g., Ledger). It replaced the legitimate payload with a malicious one: a
transferOwnership()orupgradeTo()call. - The "Blind Signing" Trap: Hardware wallets, while secure, often lack the firmware capacity to "parse" and display the complex internal data strings of multi-sig protocol upgrades in human-readable plain text. The signers, seeing "Transaction OK" on their screen, signed the raw hex data on their devices.
- Governance Hijack: Once the attacker secured the required number of signatures (e.g., 3-of-11 or similar threshold), they effectively became the owner of the Radiant protocol contracts on Arbitrum and BNB Smart Chain.
- The Drain: The attacker immediately upgraded the protocol implementation to a malicious version that permitted the withdrawal of all deposited collateral, which was then swapped via 1inch/PancakeSwap and moved off-chain.
Why This Matters (The Interface Invariant)β
The Radiant hack proved that "What You See Is Not Always What You Sign." It highlighted a critical gap in the DeFi security stack: the assumption that if the blockchain code is audited and the keys are in hardware, the system is secure. If the interface connecting the user to the hardware is compromised, the human becomes the weak point.
Mitigation Strategiesβ
- Clear Signing Adoption: Mandate the use of hardware wallet firmware and multi-sig frontends that support "Clear Signing"βthe ability to decode and display the exact function and parameters being signed on the device's physical screen.
- Independent Payload Verification: Signers should utilize a second, air-gapped terminal to independently reconstruct and verify the transaction hash before signing on their primary device.
- Out-of-Band (OOB) Confirmation: Critical governance actions should requires signers to confirm the intent and the calldata hash via an independent communication channel (e.g., a secure specialized multisig app or physical meeting).
- Strict Device Isolation: Devices used for signing multi-sig transactions for high-TVL protocols should be dedicated "signing laptops" with no external software, browser extensions, or document handling capabilities.
Conclusionβ
The Radiant Capital exploit serves as a definitive lesson in Administrative Layer Security. As smart contracts become more secure through formal verification, attackers will shift their focus to the human operators and the interfaces they trust. Total protocol security now requires an audit of the signing environment as rigorous as the audit of the code itself.