Post-mortem: October 16, 2024 Exploit Impact on RIZ Vaults

Feedback
, ,
1

​Radiant Capital DAO Post-mortem:

October 16, 2024 Exploit Impact on RIZ Vaults (BNB & Arbitrum)

On October 16, 2024, Radiant Capital experienced a sophisticated security breach that resulted in the loss of approximately $50 million. This incident not only impacted the core markets but also had significant repercussions for the RIZ Vaults, affecting assets across the Arbitrum and BNB chains.

Overview of the Incident

The breach was orchestrated through a highly advanced malware attack that Radiant security partners and law enforcement agencies have since attributed to hackers associated with the DPRK. The attackers compromised core developers’ devices, manipulating the Safe{Wallet} interface to display legitimate transaction data while executing malicious transactions in the background. This allowed the hacker to hijack the Aave lending contracts that Radiant employs and drain substantial funds from core markets on Arbitrum and BNB Chain, including the RIZ vault assets allocated to those core markets.

Impact on RIZ Vaults

Beyond the immediate losses in the core markets, the exploit had a cascading effect on the RIZ Vaults, which are designed to optimize yield by diversifying collateral across various strategies. The affected vaults and their respective losses are detailed below:​

  • rizWETH (Arbitrum): Loss of 99.992 WETH​

  • rizUSDC (Arbitrum): Loss of 51,878.82 USDC

  • rizUSDT (BNB Chain): Loss of 171.03 USDT​

Mechanism of Impact

Depositors’ collateral in these RIZ Vaults was managed by the rizYearnV3VaultFactory contracts on both Arbitrum and BNB Chain. This system dispersed collateral into various yRizStrategy contracts, which regularly rebalanced holdings across RIZ vaults such as ZRO/USDC and USDC/USDY, as well as core contracts.​

While this diversification aimed to optimize yield and mitigate risk, the exploit disrupted the balance of funds within the vaults:​

  • rizUSDC Vault: Had a higher concentration in RIZ Vaults like USDC_ZRO or USDC_USDY, which allowed it to fulfill withdrawals. This led to the unpausing of the vault on November 27, 2024, facilitating withdrawals totaling 64,229.73 USDC to date. ​

  • rizWETH Vault (Arbitrum): Had a higher concentration in rWETH (ETH Core market on Radiant), resulting in a total loss of 100 WETH, which were irrecoverable.​

  • rizUSDT Vault (BNB Chain): Due to its high exposure in RIZ vaults, there was a near full recovery of assets by users by withdrawing assets from the USDT Vault.​

Contracts Impacted

The specific contracts affected by this incident include:

Arbitrum:

  • rizUSDC: 0x2e7Aa06A0F0816De4b1A32a12B0aC4Eb584BFF2A​

  • rizWETH: 0x86dF48f8DC91504D2B3E360d67513f094Dfa6C84​

BNB Chain:

  • rizUSDT: 0x7725A28d7a717Dd66F05422dBD68f5ca1b9b1090​

Response and Mitigation Measures

In the aftermath of the exploit, Radiant Capital has taken several steps to enhance security and restore confidence:​

  • Collaboration with Security Experts: We have engaged leading cybersecurity firms, including ZeroShadow, Mandiant, Hypernative, and SEAL911, to conduct thorough investigations and assist in asset recovery efforts.

  • Strengthening Protocol Security: Improvements have been implemented, such as transferring ownership into a timelock contract to enforce a mandatory 72-hour waiting period for any adjustments, and introducing an emergency admin role using a multi-signature structure to manage the pausing and unpausing of markets as necessary.

  • User Advisories: We have advised all users to revoke any approvals on all chains—Arbitrum, BSC, Ethereum, and Base—to prevent further unauthorized access.

  • RIZ Vault Losses Checker Page: Until a remediation portal is implemented, users can look up their exploit loss balances, including the RIZ vault losses, with this Google Sheets checker page.
    Note: Links to these Google Docs expose personal information. Use a temporary Google account or a private browser tab to avoid this exposure.

Conclusion

The October 16, 2024 security breach was a pivotal moment for Radiant Capital, highlighting vulnerabilities and underscoring the need to usher in a new era of accountability, transparency, and continuous improvement in not just Radiant’s security protocols and in other aspects of the project as well. The remaining highly capable team, led by the newly ratified community council (RFP-48), is committed to the highest level of transparency and is dedicated to implementing robust measures to protect the community’s assets, including a Guardian Fund (currently being proposed). Since the hack and establishment of the community council, the overall remediation plan was also approved and is currently being fleshed out and executed as directed by the community. We extend our deepest gratitude to the Radiant community for their patience and trust as we navigate this challenging period and work diligently towards recovery, remediation, and regrowth.