Overview
Radiant Capital launched as an omnichain lending protocol leveraging LayerZero's cross-chain messaging infrastructure, initially deployed on Arbitrum and later expanding to BNB Chain and Ethereum. The protocol's core thesis was enabling seamless cross-chain lending and borrowing — depositing collateral on one chain and borrowing on another — positioning itself as the "omnichain money market."
Radiant V2, launched in early 2023, introduced dynamic liquidity provisioning (dLP) requiring borrowers to lock RDNT-ETH liquidity to earn emissions, aiming to create sustainable tokenomics. The protocol grew rapidly, reaching over $300M in TVL driven by aggressive RDNT emissions and the omnichain narrative.
However, in October 2024, Radiant suffered a catastrophic security breach. Attackers compromised multiple private keys from Radiant's multisig signers through sophisticated malware, gaining control of the protocol's smart contracts and draining approximately $50 million across Arbitrum and BNB Chain. This exploit devastated user trust and exposed critical operational security failures in the protocol's key management. The protocol has been attempting recovery since, but the damage to its reputation and TVL has been severe.
Smart Contracts
Architecture
Radiant is built as an Aave V2 fork with LayerZero omnichain messaging integration. The cross-chain architecture adds significant complexity to the base Aave codebase, with bridging contracts, cross-chain rate synchronization, and remote lending functionality. The dLP mechanism adds another layer of contract complexity for emissions management.
Code Quality
The codebase is open source and based on the well-reviewed Aave V2 architecture. However, the LayerZero integration and custom cross-chain logic introduce novel code that deviates significantly from the battle-tested base. The fork-plus-modifications approach means not all of Aave's security properties carry over, and the cross-chain components represent largely unproven code.
Upgradeability
Radiant's contracts use proxy patterns controlled by a multisig wallet. This multisig was the direct vector for the October 2024 exploit — attackers who compromised signer keys could upgrade contracts to drain funds. The multisig configuration (3-of-11 threshold at the time of the exploit) was criticized as insufficiently secure for the value it controlled.
Security
Audit History
Radiant was audited by OpenZeppelin, BlockSec, Peckshield, and Zokyo. Despite multiple audits, the October 2024 exploit was an operational security failure (compromised private keys) rather than a smart contract vulnerability — a risk category that code audits cannot fully address. The audits did not flag the insufficient multisig security practices.
Oracle Design
Radiant uses Chainlink price feeds for asset pricing, consistent with its Aave V2 base. The cross-chain oracle synchronization adds complexity, as prices must be consistent across multiple chains to prevent arbitrage exploits. This cross-chain oracle dependency represents an additional attack surface.
Liquidation Engine
The liquidation mechanism follows the Aave V2 model with cross-chain considerations. Liquidators can liquidate undercollateralized positions, though cross-chain positions add complexity to the liquidation process. During the exploit, the liquidation mechanism was irrelevant as the attacker had direct contract control.
Track Record
Radiant's security track record is severely compromised. The October 2024 exploit resulted in approximately $50M in losses across multiple chains, making it one of the largest DeFi exploits of 2024. The attack vector — compromised multisig keys via targeted malware — exposed fundamental operational security weaknesses. An earlier exploit in January 2024 had already resulted in $4.5M in losses from a flash loan vulnerability, meaning the protocol suffered two major incidents within a single year.
Risk Management
Asset Listing
Radiant supported a limited set of major assets (ETH, WBTC, USDC, USDT, DAI, ARB) reflecting a conservative listing approach. However, the protocol's overall risk management was undermined by the catastrophic operational security failure that no asset listing policy could mitigate.
Risk Parameters
Risk parameters followed standard Aave V2 configurations with modifications for cross-chain lending. LTV ratios, liquidation thresholds, and reserve factors were set conservatively. However, the most critical risk — multisig key management — was inadequately controlled.
Isolation Modes
Radiant's cross-chain architecture inherently connects risk across chains, which is the opposite of isolation. An exploit on one chain (as occurred in October 2024) immediately threatened funds on all connected chains. The protocol lacked sufficient circuit breakers to contain cross-chain contagion.
Adoption
TVL & Usage
Prior to the October 2024 exploit, Radiant had approximately $300M in TVL. Post-exploit, TVL collapsed to under $30M as users fled the protocol. Recovery efforts have been slow, and user trust remains severely damaged. Current TVL remains a fraction of its pre-exploit levels.
Multichain Presence
Radiant was deployed on Arbitrum, BNB Chain, and Ethereum. The cross-chain presence, once a selling point, became a liability during the exploit as the attacker drained funds across multiple chains simultaneously. Post-exploit, activity is minimal across all deployments.
Integrations
Radiant had integrations with major Arbitrum ecosystem protocols and DeFi aggregators. Post-exploit, many integrations have been paused or removed. The protocol's ecosystem partnerships have been significantly impacted.
Tokenomics
Token Overview
RDNT is the native token with a maximum supply of 1 billion. The dLP mechanism requires borrowers to lock RDNT-ETH LP tokens worth at least 5% of their deposit value to earn RDNT emissions. This mechanism was designed to prevent mercenary farming but adds complexity and capital requirements for users.
Revenue Model
Radiant earns fees through interest rate spreads and a 15% platform fee on borrower interest. Revenue was modest relative to emissions costs, and the dLP mechanism's sustainability was questioned even before the exploit. Post-exploit, revenue has collapsed alongside TVL.
Governance
Governance is conducted through RDNT token voting and the multisig. The October 2024 exploit exposed the governance/multisig structure as a critical vulnerability. Post-exploit governance has focused on recovery plans, including the potential use of a recovery token to compensate affected users.
Risk Factors
- Catastrophic Exploit History: The $50M October 2024 exploit is one of the most damaging events in DeFi lending, driven by compromised multisig keys. This represents a fundamental failure in operational security that overshadows all other protocol attributes.
- Multisig Vulnerability: The 3-of-11 multisig threshold was dangerously low for the value it controlled. Even if improved, the precedent of key compromise severely undermines trust in any multisig-controlled system.
- Cross-Chain Complexity: The omnichain architecture that was Radiant's differentiator also amplified the exploit's damage by enabling simultaneous fund drainage across chains.
- Recovery Uncertainty: Post-exploit recovery plans are uncertain, and the timeline and mechanism for compensating affected users remain unclear. Confidence in the team's ability to secure the protocol is low.
- Emission Dependency: Pre-exploit, Radiant's TVL was heavily driven by RDNT emissions rather than organic demand, suggesting underlying fragility even without the security breach.
- Trust Deficit: Rebuilding user trust after a $50M+ exploit is exceptionally difficult. Competing protocols offer similar functionality without the security stigma.
Conclusion
Radiant Capital's story is a cautionary tale about the gap between innovative protocol design and operational security fundamentals. The omnichain lending vision was genuinely compelling, and the dLP mechanism showed creative thinking about sustainable tokenomics. However, none of these innovations matter when the protocol's keys are compromised through basic operational security failures.
The October 2024 exploit — following an earlier $4.5M flash loan exploit in January — demonstrates that Radiant failed to implement adequate security practices proportionate to the value it custodied. The 3-of-11 multisig threshold, insufficient key management practices, and lack of cross-chain circuit breakers reflect systemic security governance failures.
While the Radiant team has outlined recovery plans and security improvements, the protocol faces an uphill battle to regain trust. Users considering Radiant must weigh the significant risks against any potential benefits, and the security score reflects the reality that a protocol is ultimately only as secure as its weakest operational link.