Slow Fog releases Radiant Capital security incident analysis: Attackers illegally control 3 owner permissions in the multi-signature wallet

ChainCatcher news, Slow Mist releases an analysis of the Radiant Capital security incident (Arbitrum chain):

Radiant Capital uses a multi-signature wallet (0x111ceeee040739fd91d29c34c33e6b3e112f2177) to manage key operations such as contract upgrades and fund transfers. However, the attacker illegally gained control of the owner permissions of 3 out of the 11 owners of the multi-signature wallet.

Since Radiant Capital's multi-signature wallet employs a 3/11 signature verification model, the attacker first used the private keys of these 3 owners to perform off-chain signatures, and then initiated an on-chain transaction from the multi-signature wallet to transfer the ownership of the LendingPoolAddressesProvider contract to a malicious contract controlled by the attacker.

Subsequently, the malicious contract called the setLendingPoolImpl function of the LendingPoolAddressesProvider contract, upgrading the underlying logic contract of the Radiant lending pool to a malicious backdoor contract (0xf0c0a1a19886791c2dd6af71307496b1e16aa232).

Finally, the attacker executed the backdoor function, transferring funds from various lending markets into the attack contract.

Previous news, Radiant Capital suffered a cyber attack, resulting in losses exceeding $50 million.