The $58M Job Offer: How a PDF Cost Radiant Capital Everything

October 16, 2024 (UTC)

17:09 — Suspicious contract activity detected on-chain
~18:00 — Public alerts issued by blockchain security monitors
Shortly after — Protocol markets paused
Later — Funds bridged and partially routed through Tornado Cash

By the time public warnings were issued, control over critical protocol components had already been lost.

THE TAKEOVER AND DRAIN:¶

Once sufficient multisig approvals were obtained:

Control over the protocol was modified.
A malicious contract execution path was triggered.
Lending pools on Arbitrum and BNB Chain were drained.

Transaction (BNB Chain):
0xd97b93f633aee356d992b49193e60a571b8c466bf46aaf072368f975dc11841c

Funds were rapidly moved across chains and later partially routed through Tornado Cash, significantly complicating recovery efforts.

During the incident response phase:

Multiple third-party warnings circulated rapidly on social media.
At least one widely shared revoke link was later identified as unsafe.
Users were exposed to additional risk amid panic and misinformation.

This highlights a recurring pattern in live exploit scenarios:
speed often outpaces verification.

CORE SECURITY FAILURE:¶

This incident exposes a structural weakness in current DeFi operational security.

Multisig plus hardware wallets protect private keys, not transaction intent.

If a signing environment is compromised, even flawless cryptography cannot prevent:

• Misrepresentation of transaction data.
• UI-level deception.
• Legitimate signatures authorizing malicious outcomes.

Simulations, audits, and dashboards are ineffective if the data being simulated is already manipulated.

PRACTICAL TAKEAWAYS¶

For protocol teams managing administrative privileges:

• Treat all signing machines as high-value targets.
• Separate transaction construction, review, and signing responsibilities.
• Avoid blind signing for privileged operations whenever possible.
• Use out-of-band calldata decoding and verification.
• Assume UI compromise is feasible, even on trusted systems.

Radiant Capital followed many industry best practices.

That was not enough.

Until transaction intent can be verified independently of the signing interface, hardware wallets remain necessary but insufficient protection for high-value protocol governance.

This was not a failure of cryptography.

It was a failure of trust boundaries.