Gushiken Yona
A breach of trust rocks Hong Kong-based stablecoin neobank Infini as a former developer, allegedly retaining administrative access, is suspected of stealing $49.5 million in USDC from the company.
Details of the $49.5 Million Exploit
The stolen USDC was reportedly converted into DAI and subsequently into Ethereum (ETH) before being moved to an external wallet. This multi-step process is a common tactic used by attackers to obfuscate the trail of stolen funds. The incident underscores the persistent security vulnerabilities that plague the decentralized finance (DeFi) space.
In a statement posted on X (formerly Twitter), Infini acknowledged the security compromise, expressing deep regret for the concern caused. “We’re aware of reports on a security compromise affecting Infini. We’re deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment,” the company said. Despite the setback, Infini reiterated its commitment to its mission: “All transfers, deposits, withdrawals, and payments remain in normal usage and working status. Despite the challenge, Infini’s vision — to redefine the future of digital finance as a crypto neo bank — has never changed. Keep building!”
Infini Exploit Analysis: Rogue Developer Retained Admin Privileges
Web3 security firm ExVul provided a detailed analysis, pinpointing the exploit’s origin to a contract address (0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC) created by the attacker before leaving the Infini project. In an X post, ExVul explained: “Analysis of the $49.5 million loss at @0xinfini: The contract address 0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC, which was created by the attacker address 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, was initially developed by the attacker as part of the Infini project.
After the project delivery, the attacker retained administrative privileges. After over 100 days of dormancy, the attacker utilized the previously retained privileges from the contract’s development phase.
The attacker first transferred a small amount of Ethereum for gas fees, then interacted with the contract to steal all of the funds.” The stolen USDC was converted to DAI, then to ETH, before being transferred to an external wallet, currently identified as 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49, according to ExVul.
Infini Founder Addresses Investors and Users
Infini’s founder, identified as Christian, addressed the situation directly in a translated post on X. He revealed that a significant portion of the stolen funds belonged to major investors.
The Infini founder said, “70% of the $50M stolen belonged to big investors I know. I have communicated with them one by one and I will personally bear the possible losses and settle privately.”
He reassured other users about the remaining funds: “The remaining funds will be reinvested in Infini Vault before next Monday, and everything will remain the same. The funds have been prepared and will respond to any withdrawal requests in the meantime, so please rest assured.”
Christian also acknowledged the need for temporary service adjustments, saying, “Sorry, it will take some time to upgrade and restart the business. Everything will be carried out under the premise of ensuring the absolute safety of funds. Shame on you, be grateful, and we will do better.”
Infini has promised to fully reimburse all affected users, a move that may help to mitigate some of the reputational damage caused by the exploit. However, the incident serves as a powerful reminder of the critical need for rigorous security protocols, including strict access control management and comprehensive code audits, particularly within the rapidly evolving and often-targeted DeFi ecosystem.
Read More
- Binance Moves Large ETH, SOL Volumes, Sparks Market Jitters
- Bitcoin ETF Outflows Spark Uncertainty, But Long-Term Bullishness Remains
- Shiba Eternity Gets a Blockchain Boost with Smart Contract Update
Yona has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Daily is an official media and publication of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
