香港Stablecoin Neobank Infini向前開發商損失了4,950萬美元

違反信託岩石岩石基於香港的Stablecoin Neobank Infini，據稱是保留行政訪問的前開發商

A former developer of Hong Kong-based stablecoin neobank Infini is suspected of stealing nearly $50 million in a brazen exploit, according to a report by Web3 security firm ExVul on Friday.

根據Web3 Security Exvul的一份報告，總部位於香港的Stablecoin Neobank Infini的開發商涉嫌竊取近5000萬美元的漏洞利用。

The stolen funds, initially present in USDC, were swiftly converted into DAI and subsequently into Ethereum (ETH) before being moved to an external wallet. This multi-step process is a common tactic used by attackers to obfuscate the trail of stolen funds. The incident underscores the persistent security vulnerabilities that plague the decentralized finance (DeFi) space.

最初出現在USDC的被盜資金迅速轉化為DAI，隨後轉化為以太坊（ETH），然後轉移到外部錢包。這個多步驟過程是攻擊者用來混淆被盜資金的踪蹟的一種常見策略。該事件強調了困擾分散融資（DEFI）空間的持續安全漏洞。

Infini, which recently rebranded from X-Infinity, acknowledged the security compromise in a statement posted on X (formerly Twitter), expressing deep regret for the concern caused.

Infini最近從X-Infinity重新命名，他在X（以前稱為Twitter）上的一份聲明中承認了安全妥協，對引起的關注表示了深刻的遺憾。

“We’re aware of reports on a security compromise affecting Infini. We’re deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment,” the company said.

“我們知道有關影響Infini的安全妥協的報告。我們為此感到非常抱歉 - 我們的團隊目前正在全天候調查和保護所有系統，”該公司說。

Despite the setback, Infini reiterated its commitment to its mission: “All transfers, deposits, withdrawals, and payments remain in normal usage and working status. Despite the challenge, Infini’s vision — to redefine the future of digital finance as a crypto neo bank — has never changed. Keep building!”

儘管遇到了挫折，但英菲尼還是重申了其對任務的承諾：“所有轉移，存款，提款和付款仍處於正常使用和工作狀態。儘管面臨挑戰，Infini的願景（重新定義了作為加密貨幣銀行的數字金融的未來）從未改變。繼續建造！”

According to ExVul's analysis, the contract used in the exploit (0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC) was created by the attacker (0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1) as part of the Infini project.

根據Exvul的分析，利用中使用的合同（0x9A79F4105A4E1A0BA0B42F25351D394FA7EE1DC）由攻擊者（0xC49B5E5B5B5B9DA6666B9126B9126C1A62E62E2E9761E6B2214DE1）創建

“After the project delivery, the attacker retained administrative privileges,” ExVul noted in an X post. “After over 100 days of dormancy, the attacker utilized the previously retained privileges from the contract’s development phase.”

“在項目交付後，攻擊者保留了行政特權，” Exvul在X帖子中指出。 “在休眠100天以上，攻擊者利用了合同發展階段的先前保留特權。”

The attacker first transferred a small amount of Ethereum for gas fees, then interacted with the contract to steal all of the funds, which were then converted to DAI, and later to ETH, before being transferred to an external wallet (0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49).

攻擊者首先將少量的以太儲物用於汽油費，然後與合同進行互動，以竊取所有資金，然後將其轉換為DAI，然後轉換為ETH，然後轉移到外部錢包（0xFCC8911976D752752890F2140F2140D9F9F9F4EDD2C64A6E6E49）。

Infini's founder, known only as Christian, addressed the situation directly in a translated X post, revealing that a significant portion of the stolen funds belonged to major investors.

Infini的創始人（僅被稱為Christian）直接在翻譯後的X帖子中解決了這種情況，揭示了大部分被盜資金屬於主要投資者。

“70% of the $50M stolen belonged to big investors I know. I have communicated with them one by one and I will personally bear the possible losses and settle privately,” Infini's founder said.

“在5000萬美元被盜的5000萬美元中，有70％屬於我認識的大投資者。我已經與他們溝通了一個，我個人會承擔可能的損失並私下解決。” Infini的創始人說。

He reassured other users about the remaining funds: “The remaining funds will be reinvested in Infini Vault before next Monday, and everything will remain the same. The funds have been prepared and will respond to any withdrawal requests in the meantime, so please rest assured.”

他向其他用戶保證剩餘的資金：“剩下的資金將在下週一之前再投資於Infini Vault，一切都將保持不變。這些資金已經準備好，並將在此期間回應任何提款請求，因此請放心。”

Christian also acknowledged the need for temporary service adjustments, saying, “Sorry, it will take some time to upgrade and restart the business. Everything will be carried out under the premise of ensuring the absolute safety of funds. Shame on you, be grateful, and we will do better.”

克里斯蒂安（Christian）還承認需要進行臨時服務調整，並說：“對不起，升級和重新啟動業務將需要一些時間。一切都將在確保資金絕對安全的前提下進行。對你感到羞恥，要感激，我們會做得更好。”

Infini has promised to fully reimburse all affected users, a move that may help to mitigate some of the reputational damage caused by the exploit. However, the incident serves as a powerful reminder of the critical need for rigorous security protocols, including strict access control management and comprehensive code audits, particularly within the rapidly evolving and often-targeted DeFi ecosystem.

Infini已承諾將充分償還所有受影響的用戶，此舉可能有助於減輕利用造成的某些聲譽損害。但是，該事件有力地提醒人們對嚴格的安全協議的關鍵需求，包括嚴格的訪問控制管理和全面的代碼審核，尤其是在快速發展且經常定位的Defi生態系統中。