Radiant Capital's $50M Mistake: When Hardware Wallets Blindly Signed It All Away

NiqNiq
/Jul 22, 2025
Radiant Capital's $50M Mistake: When Hardware Wallets Blindly Signed It All Away

Key Takeaways

• The attackers used malware to alter transaction data at the endpoint level—what team members saw wasn’t what they actually signed.

• Hardware wallets weren’t hacked, but tricked into signing malicious payloads that transferred contract ownership and drained funds.

• This was a coordinated, professional operation that exploited blind signing, Gnosis Safe’s signature process, and weak endpoint security.

• Prevention requires timelocks, multi-layered governance, endpoint hardening, and improved transaction visibility—signing alone isn’t security.

One morning in October 2024, the Radiant Capital team woke up to a nightmare:
More than $50 million had vanished from the protocol’s vaults overnight.

This wasn’t a contract bug.
It wasn’t a front-end exploit.
It was something far more surgical — and far more terrifying.

A "trojan horse" attack that hijacked the very act of signing a transaction.
And it worked.

The Attack: What You See Is Not What You Sign

Radiant Capital operated with all the usual security measures:

  • Gnosis Safe for multi-signature control
  • Hardware wallets for critical signers

But what the team saw on screen and what their wallets actually signed turned out to be two very different things.

Attackers planted trojans in team members’ computers that intercepted and altered transaction data.

On screen, the transaction looked normal — just another routine multi-sig approval.
But on-chain, their hardware wallets had just signed transferOwnership() — giving full control of the lending pools to the attacker.

🎯 The Payload: Ownership, Upgrade, and Theft in One Shot

With forged signatures in hand, the attacker executed an atomic transaction that:

  1. Transferred contract ownership
  2. Upgraded the lending protocol’s logic
  3. Initiated a massive asset drain

The malicious contract then invoked transferFrom() to steal funds from users who had previously approved interactions with the lending pool.

Even now, funds continue to be siphoned off if vulnerable users send tokens to the pool address.

No, the Hardware Wallet Wasn’t Hacked — It Was Deceived

There’s no evidence the attackers broke into the hardware wallets themselves.

Instead, they:

Injected malware into team devices to silently replace signing requests with malicious payloads.

The result?

  • The wallet displayed a clean-looking transaction
  • But signed something else entirely

Worse, the forged signatures never even showed up in the Gnosis Safe UI, which should have been a red flag.

This Wasn’t Amateur Hour — It Was a Professional Heist

The level of coordination here is staggering.
This was not a lone hacker with some lucky guesses.
This was a full-blown operation involving:

  • Trojan deployment & persistence
  • Hardware wallet interception tooling
  • Deep knowledge of Gnosis Safe’s signing flow
  • Custom smart contract deployment
  • Atomic execution architecture
  • And yes — a planned exit via money laundering

This was a heist. And it worked.

But the more complex the attack chain, the more clues it leaves behind — and the higher the chance of forensic recovery.

How to Protect Yourself (and Your Protocol)

This attack wasn’t just about tech — it was about process failures.
Here’s how teams and users can defend against similar threats:

✅ 1. Add a Timelock and Real Governance Process

Critical actions like contract upgrades or ownership transfers should never execute instantly.

Introduce:

  • Timelocks (T+1 or longer) for sensitive actions
  • Governance flows that include multiple roles and off-chain alarms

A 24-hour delay could have prevented $50M in losses.

✅ 2. Never Blindly Sign — Always Verify

Hardware wallets are only secure if you trust what you're signing.

Be vigilant for red flags:

  • Hardware wallet signs something, but no signature appears in Gnosis Safe
  • Signing prompt shows ambiguous or mismatched data

If something feels off — stop immediately.

Wallet vendors like OneKey are actively improving support for complex transaction decoding, reducing the need for blind signing.

✅ 3. Secure the Endpoints — Malware Is the Real Backdoor

Don’t let your signing computer become your weakest link.

Best practices:

  • Use dedicated signing devices — not your daily browser machine
  • Keep OS and firmware up to date
  • Install trusted anti-malware solutions
  • Never install unverified software, scripts, or plugins
  • For teams, consider endpoint audits with security firms like SlowMist

🧩 Final Thoughts: Signing ≠ Security

The Radiant Capital attack isn’t just a one-off tragedy — it’s a wake-up call.

A hardware wallet doesn’t protect you from what you willingly sign.

Every signature is an act of trust — and in this case, that trust was weaponized.

Whether you’re a developer, founder, or power user, remember:

The coldness of your wallet means nothing if your eyes aren’t wide open.

Sign safe. Stay safe.

Secure Your Crypto Journey with OneKey

View details for OneKey ProOneKey Pro

OneKey Pro

Touch. Scan. Own It.

View details for OneKey Classic 1SOneKey Classic 1S

OneKey Classic 1S

Pocket-Light, Bank-Tight.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

Crypto Clarity—One Call Away.

Keep Reading