Attackers exploited a vulnerability in a Radiant Capital smart contract.
The affected networks were BNB Smart Chain and Arbitrum, L2 of Ethereum.
Radiant Capital, a decentralized finance (DeFi) app, was attacked on October 16 by hackerswho managed to extract more than $50 million from the BNB Smart Chain (BSC) and Arbitrum (ARB) networks, Ethereum’s largest second layer (L2) network.
After knowing this fact, from the Binance X account Wallet Web3, he exchange detailed the Ethereum (ETH), Arbitrum, BSC and Base contract that users must revoke “as soon as possible” from their wallet to avoid further consequences of the vulnerability exploited by hackers.
On the platforms DeFiusers often grant permissions to smart contracts from their wallet to move their tokens on their behalf and execute actions with them. This is done using the function “approve” (approve), which establishes an assignment of tokens that the contract can handle. Revoking these approvals, as requested by Binance, means withdrawing those permissions, ensuring that the committed contracts can no longer move the tokens of the user.
To execute this procedure and revoke the contracts, within the wallet Web3 Binance users should go to BscScan Token Approval Checker and connect your wallet Web3. By doing so, you will be able to see a list of all smart contracts that have permission to spend your tokens.
The user must carefully review these approvals and select those they wish to revoke. By clicking “Revoke”, a signature request will open in your wallet. Finally, you must confirm the transaction in your wallet to complete the revocation process. The rest of contract disapprovals on other networks are carried out in a similar way.
This procedure ensures that compromised contracts can no longer move user tokens without their authorization, thus protecting their wallets from potential vulnerabilities.
How did the attack on the Radiant Capital DeFi platform happen?
The hackers created and implemented a smart contract with a “backdoor” (in English backdoor contract) in the infrastructure of the DeFi. This type of contract includes a hidden access that allowed attackers to exploit a vulnerability in the function “transferFrom” of a smart contract.
The function transferFrom enables a smart contract to transfer tokens from a user’s account to another account, but only if a user has previously authorized this transfer. This authorization is carried out through a prior assignment of tokens.
In the case of a hacklike the one suffered by Radiant Capital, attackers can exploit vulnerabilities in the implementation of transferFrom for move tokens without proper authorization.
Although the function transferFrom is fundamental in the ERC-20 standard of Ethereum (ETH), BNB Smart Chain (BSC) and Arbitrum have a close relationship with this technology.
Thus, through this modality, they were able withdraw funds without authorizationaccording to reported Ancilla, security company Web3.
For its part, from the dApp that is integrated into the wallet Binance Web3, announced today, October 17, the refund of 10 million dollars to users.
In addition, Radiant Capital closed its markets on the Base networks, another L2 of Ethereum, and on its main network (which includes BSM and Arbitrum). From the platform expressed who work with security companies such as SEAL911, Hypernative, ZeroShadow and Chainalysis in order to clarify the incident and restore security.
