- A hacker drained $49M from Infini’s smart contract after retaining admin access, leading to questions about internal security lapses.
- The exploiter quickly swapped USDC for ETH to evade freezing, using decentralized protocols like Uniswap and 0x Protocol.
- The Infini founder took responsibility for the exploit, assuring users of full compensation while investigators traced the stolen funds.
An attacker exploited retained admin rights to drain $49 million in USDC from the Infini stablecoin bank. The exploit, which went unnoticed until a large transaction withdrew all contract-locked funds, has raised concerns about security lapses within the project.
The attacker’s wallet was reportedly tied to a developer tasked with building Infini’s smart contract. Retaining admin privileges allowed the individual to execute a command that withdrew all available liquidity. Infini has yet to issue a detailed response explaining how this security flaw went undetected.
Infini’s Rapid Growth and Yield Products Attracted Liquidity
Infini, a neobank integrating stablecoin payments with traditional finance, has seen a sharp rise in user adoption. The platform experienced a 500% increase in users following the launch of its crypto card services. High-yield earning products attracted significant liquidity, providing an opportunity for the attacker to exploit the system. Funds were siphoned from the Morpho MEV Capital Usual USDC Vault, though Morpho has not reported any direct losses.
The attacker wasted no time in converting stolen USDC into Ethereum. The process involved swapping USDC for DAI via decentralized protocols before acquiring 17,696 ETH. Transactions were executed through Uniswap, Sky Protocol, and 0x Protocol to minimize traceability.
By converting to ETH, a non-freezable asset, the hacker avoided asset seizure. The stolen ETH was subsequently split into smaller sums and distributed across multiple wallets, with initial funding for the wallet linked to Tornado Cash.
Infini Founder Acknowledges Responsibility
Infini’s founder, known as @christianeth on X, admitted to negligence in the authority transfer process. He reassured users that Infini remains liquid and will provide full compensation if necessary. On-chain analysts have suggested a potential private key leak, adding another layer of complexity to the investigation.
Meanwhile, co-founder @0xsexybanana deleted her X account following the attack. PeckShield has since identified the engineer-turned-hacker behind the exploit, though Infini has not released an official statement on the individual’s identity.
The hack has renewed concerns about Ethereum’s use in money laundering, especially in the wake of similar large-scale exploits. The Bybit exchange suffered a $1.5 billion Ethereum exploit earlier this year, with funds moved in a similar pattern.
Blockchain investigator ZachXBT has pointed out that this method aligns with tactics used by the Lazarus Group, though no direct links have been established. Despite the ongoing investigation, the sudden demand for Ethereum triggered a small price rally, with ETH surpassing $2,800 for the first time in weeks.
DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
