According to a post from Blockchain security firm Slowmist, the private keys to 3 out of 11 addresses that managed the Radiant Capital project were compromised, and this was enough to approve malicious transactions that involved a “transfer ownership of the LendingPoolAddressesProvider contract to a malicious contract controlled by the attacker.” This then allowed the attacker to drain Radiant Capital’s lending pools on Arbitrum and BNB Chain.
Radiant Capital acknowledged the attack a few hours after it happened. They also paused their Base and Ethereum contracts as a precaution. On October 18th, the project wrote a longer post-mortem tweet stating — “The attackers exploited multiple developers’ hardware wallets through a highly advanced malware injection.”
They continue that Radiant Capital DAO “is deeply devastated by this attack and will continue to work tirelessly with the respective agencies to identify the exploiter and recover the stolen funds as quickly as possible.” They note in the post-mortem —“The DAO has significantly tightened security on the Admin & DAO multi-sigs (other safes to follow in due course) by reducing the number of signers to 7, with a new signing threshold of 4 out of 7, ensuring that nearly 60% of signers must approve a transaction before it can be executed.”