1. Incident Overview
On October 16, 2024, Radiant Capital, a decentralized cross-chain lending protocol based on LayerZero, was hacked, resulting in the theft of authorized project contract funds amounting to approximately $50 million. An investigation conducted by several security companies, including Mandiant, hired by the project officials, strongly believes that this attack is related to North Korea.

2. Attack Process
1. Disguise: On September 11, a Radiant Capital developer received a Telegram message disguised as a 'Contractor' (outsourcing personnel), claiming to be working on a new smart contract audit and requesting assistance in reviewing the project report, along with an attached compressed file. The message also used a fake website that closely resembled the real domain as a personal homepage, which led the developer to fall for the scam.
2. Poison: After unzipping the file, what appeared to be a normal PDF was actually a piece of executable malware named INLETDRIFT (.app). Once run, it silently installed a backdoor on the macOS system and maintained continuous communication with a North Korean hacker server ('atokyonews[.]com'). This file was also shared by the developer with others, expanding the reach of the malware.
3. Precise Attack: After implanting the Trojan, the hackers intercepted the team's transaction data while operating the Gnosis Safe (@safe) multi-signature wallet. The transaction appeared normal on the front end but replaced the transaction request content when transmitted to the Ledger hardware wallet for signature, exploiting the hardware wallet's blind signing mechanism, allowing team members to unknowingly sign transferOwnership(), transferring control of the lending pool to the attackers and facilitating the large-scale transfer of authorized contract funds. Despite Radiant Capital employing various security measures, including hardware wallets, transaction simulation tools (like Tenderly), and industry-standard operating procedures, the presence of the Trojan allowed the hackers to control the computer and go undetected.
4. Retreat: Within three minutes of the successful theft, the hackers quickly removed the system backdoor and browser extensions, erasing traces of identity exposure.

3. Lessons from the Incident
1. File Download Prevention: In daily collaboration, avoid downloading and opening files from unknown sources, especially compressed files and executables. Prefer using online document tools (such as Google Docs, Notion, etc.) for viewing and editing in the browser to reduce the risk of malware spread. Additionally, members with sensitive permissions should enhance device security, install antivirus software, and strengthen team file management protocols to guard against social engineering attacks.
2. Frontend Security Issues: Currently, most transaction validations rely on front-end interfaces, making them susceptible to hackers forging transaction information. Furthermore, supply chain attacks on front-end dependency packages are frequent, such as the incident involving the 'Solana official web3.js library being attacked.'
3. Blind Signing Mechanism Risks: Many hardware wallets only display simple transaction summaries, making it difficult to present the integrity of transaction data and challenging for users to identify malicious content. For instance, while OneKey has made progress in blind signing for Permit, important signatures like Safe multi-signatures still require ongoing improvements.
4. Strengthening Risk Control for DeFi Assets: Projects managing large funds should implement time locks (Timelock) and improve governance processes for fund-related protocols, such as adopting a T+1 delay mechanism, allowing time for security agencies and white hat hackers to detect anomalies, trigger alerts, and take action during significant fund transfers. Users can also revoke authorizations during the delay period to enhance asset security. Additionally, the Radiant project was exploited by hackers due to the lack of a Revoke function in the contract upgrade permissions, highlighting vulnerabilities in the project's contract design.

#加密市场盘整