Introduction
This blog post dives into a recent investigation by spherex's analytics team, uncovering new details about the attacker behind the January 2024 Radiant Capital exploit. While many articles and blogs that uncover the hack details have been published, our findings shed light on the attacker's potential pre-attack activities.
Recap of the Radiant Capital Attack:
The Radiant Capital attack, detailed in the post mortem linked above (see tx), was exploited due to the well known Compound fork vulnerability. Peckshield, who was one of the first firms to report the hack, stated that the attackers exploited a time window when a new market was activated in a lending market.
Connecting the Dots: From Metaland to Radiant
While investigating the attack, the spherex's analytics team came across an EOA that was responsible to the Metaland protocol hack, on ethereum mainnet, which was executed just 5 weeks before the Radiant Capital attack (see tx).
Notably, both Metaland and Radiant are forks of the Compound protocol, suggesting the attacker targeted vulnerabilities common across these platforms.
A Practice Run Emerges
Here's where things get intriguing.
Just two days after the Metaland attack, the same EOA initiated another transaction, this time on the Arbitrum chain. This transaction looks oddly similar to the Radiant Capital attack transaction. It even mirrored the Radiant Capital attack in its flow and transferred nearly identical token amounts (minus a few zeros).
But, unlike the Radiant Capital attack, the target token in this transaction was not the official radiant token, but rather a fake "Radiant interest bearing WETH (rWETH)" token. The contract involved in this transaction, appears in this transaction alone. Also note that it is unverified, which also draws suspicion. Strangely, the fake token was deployed by a Tornado Cash funded wallet on May 2022, around the time where the actual Radiant token was deployed. This may indicate that the fake token was a scam copy token.
Planning the Attack
While based on circumstantial evidence, this investigation paints a compelling picture. The attacker appears to have spent a significant amount of time – 5 weeks – waiting for the opportunity to attack the target protocol (that is, waiting for the deployment of a new market). On top of this, the time spent for the exploit research, the practice, and the time it took to find the practice contract should also be considered.
Disclaimer: This blog post explores a possible explanation based on the available data. Further investigation may reveal additional details.
**The hacker, waiting for 5 weeks for an opportunity to attack with maximum effect. An illustration.
Conclusion
During this time several red flags were raised, including identifying the EOA involved in the fake attack (labeled as ‘Metaland exploiter’ long before Radiant capital hack). Yet, no one connected the dots and warned Radiant Capital on time. For sure, they wish they could have known that they were next to be hacked.This case highlights the importance of ongoing vigilance and preventative security measures within DeFi protocols.
About the author
Maor has many years of experience in software development, QA, cyber security and more. Before joining SphereX as an analyst, Maor served 10 years in the Israeli intelligence doing software development, QA, research and leading teams, and 4 years in Kayhut as R&D group leader and product management.