Radiant Capital, Bedrock, and Shezmu Compromised for $60M via Multisig Misconfig, Minting Loopholes, and Native Token Misuse
Radiant lost $53M after lax multisig thresholds exposed private keys. Bedrock mishandled native BTC logic, enabling unauthorized minting of 30.8 uniBTC. Shezmu’s vault let users mint ShezUSD without collateral, leading to a $4.9M drain.
In Brief
Radiant Capital’s private keys were compromised.
Bedrock’s mishandling of native coins resulted in a $2M loss.
Shezmu suffered a $4.9M loss due to a logic flaw in the minting function.
Hacks Analysis
Radiant Capital | Amount Lost: $53M
On October 16th, the Radiant Capital exploit across multiple chains resulted in a $53M loss. The root cause of the attack was the compromise of their private keys. Although Radiant Capital’s wallet can require up to 11 signatures, the setup at the time of the exploit allowed transactions to be executed with just 3 signatures. The Radiant Capital team acknowledged the incident and confirmed that markets on Base and Mainnet are paused until further notice.
Press enter or click to view image in full size
Exploited Contract (on BNB): 0x58b0bb56cfdfc5192989461dd43568bcfb2797db
On September 26th, the Bedrock exploit on the Ethereum Mainnet resulted in a $2M loss. The root cause was a flaw in the contract’s handling of native BTC tokens on non-native chains. The mint function failed to account for the absence of native BTC registration, causing the total supply check to pass incorrectly. The attacker was able to mint 30.8 uniBTC with native tokens. Bedrock acknowledged the incident and paused all transactions.
On September 20th, the Shezmu exploit on the Ethereum Mainnet resulted in a $4.9M loss. The root cause of the exploit was that one of Shezmu’s vault contracts allowed minting ShezUSD without providing any collateral. This vulnerability allowed the attacker to mint ShezUSD tokens and make a profit. Shezmu acknowledged the issue and recovered the stolen funds from the attacker in exchange for a 20% bounty.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
