Greetings!

This week saw over $62M stolen in five incidents, with operational security failures being the primary root case. Let’s focus on those failures to extract key lessons.

Radiant Capital suffered a sophisticated $58M hack across multiple chains executed within minutes of each other. In this compromise, bad actors were able to take over at least three signers in order to execute malicious upgrades, which quickly drained all stored value. Using on-chain data and the recently published post-mortem, we can reconstruct the exploit timeline:

Prep
2024-10-02 01:12:37 UTC - Prep exploit deployed on Arbitrum.
2024-10-02 08:22:46 UTC - Prep exploit deployed on BSC.
2024-10-02 08:34:51 UTC - Prep exploit deployed on Base.
2024-10-02 08:41:35 UTC - Prep exploit deployed on Mainnet.

Exploit
2024-10-16 15:46:00 UTC - Arb Nonce 230 transaction proposal.
2024-10-16 15:46:00 UTC - Eth Nonce 127 transaction proposal.
2024-10-16 17:09:18 UTC - Arbitrum ownership transfer and exploit.
2024-10-16 17:09:35 UTC - Automated pause triggering on Mainnet.
2024-10-16 17:09:40 UTC - Automated pause triggering on BSC.
2024-10-16 17:11:00 UTC - BSC ownership transfer and exploit.

Triage
2024-10-16 17:12:00 UTC - War room started.
2024-10-16 17:38:00 UTC - Ancilla X announcement.
2024-10-16 17:43:41 UTC - Base contract paused.
2024-10-16 19:27:00 UTC - Radiant X announcement.

Mitigation
2024-10-16 21:36:00 UTC - Removing compromised wallets on Mainnet.
2024-10-16 22:04:00 UTC - Revoke access X post
2024-10-16 21:40:00 UTC - Removing compromised wallets on Base.
2024-10-16 22:10:00 UTC - Removing compromised wallets on BSC.

Thanks to Radiant’s report we now know that they were well prepared by using Hypernative to automatically pause vulnerable contracts. Unfortunately, pausing is only effective for traditional smart contract exploits. Attackers could still upgrade vulnerable contracts to bypass this control.

According to Radiant, the war room was started minutes after the first hack. That’s impressive; however, the investigation clearly didn’t identify key compromise as the root cause since they opted for pausing of the Base contract. Given the circumstances, Radiant’s team should have prioritized moving at-risk funds to a safe wallet rather than relying solely on pausing vulnerable contracts.

To make things even more complicated, Radiant noted their regular practice to simulate transactions to ensure the proposer was not compromised:

Each transaction was simulated for accuracy on Tenderly and individually reviewed by multiple developers at each signature stage. Front-end checks in both Tenderly and Safe showed no anomalies during these reviews.

It took Radiant only a day to identify the most likely attack vector for the exploit, which is stealth transaction replacement using malware on compromised signer machines:

The devices were compromised in such a way that the front-end of Safe{Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background. This breach occurred during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to market conditions and utilization rates.

This attack demonstrates a new level of sophistication from threat actors, capable of taking over developer machines, writing custom malware, navigating on and off chain governance, smart contract development, money laundering.

In the meantime, let’s discuss just a few steps you can take today to better defend your project against this attack:

Multi-sig

• Implement time delay on all infrequently used, critical administrative actions (multiple days) with the ability to veto the proposal with a guardian account.

• Implement at least a 5/n multi-sig for such critical governance actions.

• Move high frequency administrative functions to a separate multi-sig/role with minimum privileges. Time delays could be shorter and multi-sig size smaller, but still require a review process with an ability to veto.

Secops

• Dedicated hosts for all critical administrative actions. A cheap $200 Chromebook is sufficient. The key is “dedicated”. So no browsing, tweeting, checking emails or job applicant reviews.

There is a lot more of course and I hope to cover that during the upcoming talk at DeFi Security Summit; however, at the very least buy everyone some Chromebooks.

North Korean IT workers strike again with Tapioca losing $4.4M not counting wider impact of devalued token and infinite minting of USDO. On the bright side, the SEAL 911 team stepped in to save another $2.7M before it could be stolen as well.

In other news, Transak lost almost 100K user records including full names, passport and driver license numbers, user selfies, etc. Get ready for another barrage of sophisticated phishing campaigns.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!