Introduction

On February 21, 2025, a serious security incident occurred at the cryptocurrency exchange Bybit, resulting in the theft of over $1.5 billion in assets. Although Bybit officials responded promptly and stated that they could withstand the losses, the event still caused widespread industry shock. Against this backdrop, we cannot help but recall the theft of the Radiant Capital cross-chain lending protocol on October 17, 2025. While the two incidents differ in terms of attack methods and implementation paths, they both reveal the serious challenges that the cryptocurrency industry faces in terms of security.

Especially industry experts, SlowMist team founder Yu Xi pointed out that Bybit’s theft may be related to North Korean hacker groups (speculation only, there is currently no evidence to show that it is indeed done by North Korean hacker groups, no reference advice), and the way attackers in the Radiant incident gain control by controlling multi-signature private keys and exploiting malicious contract vulnerabilities is also similar to some North Korean hacker tactics. Whether it’s controlling cold wallets or tampering with smart contracts, both incidents indicate that hackers’ attack methods have become more complex and covert, posing a challenge to the security of the cryptocurrency market. Taking Radiant as an example, this article will analyze the process of multi-signature attacks.

Image:https://x.com/evilcos/status/1892970435194863997

Brief Description of Radiant Capital Attack

On October 17th, Radiant Capital’s cross-chain lending protocol was hit by a network attack, resulting in a loss of over $50 million. Radiant is a universal fund market across all chains where users can deposit any asset on any mainstream blockchain and borrow assets. On-chain data shows that the hacker swiftly transferred the stolen assets from Arbitrum and BNB Chain, with approximately 12,834 ETH and 32,112 BNB being deposited into two addresses respectively.

Process Analysis

The core of this attack is that the attacker has taken control of the private keys of multiple signers, thereby taking over multiple smart contracts. Next, we will delve into the specific process of this attack and the technical means behind it.

1. The attacker invoked the multicall feature through a malicious contract (i.e. 0x57ba8957ed2ff2e7ae38f4935451e81ce1eefbf5). multicall allows multiple different operations to be executed in a single call. In this invocation, the attacker targeted two components in the Radiant system, including the Pool Address Provider and the Lending Pool.

1. In transaction 1, the attacker controlled a Gnosis multisig wallet (GnosisSafeProxy_e471_1416). Through malicious calls, the attacker successfully executed an execTransaction, which included using transferOwnership to modify the contract address of the lending pool provider. This way, the attacker can control the lending pool contract and further carry out malicious operations.
2. The attacker exploited the contract upgrade mechanism by calling the setLendingPoolImpl function to replace Radiant’s lending pool implementation contract with their own malicious contract 0xf0c0a1a19886791c2dd6af71307496b1e16aa232. This malicious contract contains a backdoor function that allows the attacker to further manipulate the flow of funds in the system.

A backdoor function is a type of hidden function in malicious contracts, usually designed to appear normal but actually allows attackers to bypass normal security measures and directly obtain or transfer assets.

1. After the contract in the lending pool was replaced, the attacker called the upgradeToAndCall function to execute the backdoor logic in the malicious contract, further transferring assets from the lending market to the contract controlled by the attacker, thus profiting.

Conclusion: From Radiant to Bybit, security remains a top priority in the cryptocurrency industry

Although the theft incidents of Bybit and Radiant occurred in different projects, their attack methods have highlighted the common security risks in the cryptocurrency market. Whether it is through controlling multi-signature private keys or tampering with smart contracts, hackers have been able to easily break through traditional security defenses using sophisticated technical means.

With the increasingly sophisticated means of hacker attacks, how to enhance the security of cryptocurrency exchanges and protocols has become a problem that the entire industry must deeply consider. Whether it is through strengthening technical protection or adding more stringent security reviews during contract upgrades, future encryption projects will need to continuously enhance their own security capabilities to ensure the safety of user assets.

Gate.io is well aware of the importance of safeguarding user asset security and has always prioritized it. We regularly conduct security audits through detailed management of cold wallets and hot wallets, combined with user balance snapshots and Merkle tree structures, as well as advanced technologies, to comprehensively optimize asset storage and management processes, ensuring the security and transparency of every asset.

This theft incident once again reminds the entire industry of the security challenges. Gate.io will learn from it, continuously upgrade the security protection system, adopt more advanced technical means and risk monitoring measures, ensure the platform is always stable and reliable. We promise to spare no effort to safeguard user assets and provide users with a stable and trustworthy trading environment.