Infini Hack：香港Stablecoin Neobank在毀滅性的漏洞中損失了4950萬美元，強調Defi漏洞

2025年2月24日，Infini是一家位於香港的Stablecoin Neobank，將加密貨幣與傳統金融融合在一起，經歷了毀滅性的安全漏洞

Hong Kong stablecoin neobank Infini was reportedly breached on February 24, with the attacker making away with approximately $49.5 million in USD Coin (USDC) as earlier reported.

據報導，香港Stablecoin Neobank Infini在2月24日被違反，襲擊者賺了大約4950萬美元的美元硬幣（USDC），如前所述。

Blockchain security firm CertiK first flagged the exploit at 3:18 AM UTC, sending ripples of concern through the decentralized finance (DeFi) community. The incident highlights persistent vulnerabilities in the crypto space, especially following the recent $1.4 billion Bybit hack on February 21.

區塊鏈安全公司Certik首先在UTC上午3:18標記了漏洞利用，並通過分散的金融（DEFI）社區引起了人們的關注。該事件突出了加密貨幣領域的持續漏洞，尤其是在2月21日最近14億美元的Bybit Hack之後。

The Infini Attack

Infini攻擊

The attack targeted an Infini-related smart contract on the Ethereum blockchain, specifically the address 0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC.

這次攻擊針對以太坊區塊鏈上的Infini相關智能合約，特別是地址0x9A79F4105A4E1A050BA0BA0B42F25351D394FA7E1DC。

According to security analysts from CertiK, Cyvers, Blocksec, and PeckShield, a hacker gained unauthorized access by exploiting retained administrative privileges within the contract. The attacker, operating from the address 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the smart contract for Infini but retained control, unbeknownst to the project.

根據Certik，Cyvers，Blocksec和Peckshield的安全分析師的說法，黑客通過利用合同中保留的行政特權獲得了未經授權的訪問。攻擊者從地址運行0xC49B5E5B9DA66B9126C1A62E9761E6B2147DE3E1最初開發了Infini的智能合同，但保留了控制，但對該項目不受歡迎。

This insider access allowed the hacker to manipulate the contract’s settings, ultimately draining $49.5 million in USDC from what is believed to be the Morpho MEV Capital Usual USDC Vault.

此內部人士訪問使黑客可以操縱合同的設置，最終從據信是Morpho Mev Capital常規USDC庫中損失了4,950萬美元的USDC。

After the theft, the hacker swiftly converted the stolen USDC into Dai (DAI) and then purchased 17,696 Ethereum (ETH), valued at around $49 million at the time.

盜竊後，黑客迅速將被盜的USDC轉換為DAI（DAI），然後購買了17,696個以太坊（ETH），當時價值約4,900萬美元。

It seems that the stablecoin bank @0xinfini was hacked and 49.5M $USDC was stolen.

似乎Stablecoin銀行 @0xinfini被黑客入侵，4950萬美元被盜。

The hacker swapped 49.5M $USDC for 49.5M $DAI and bought 17,696 $ETH.

黑客將4950萬美元的4950萬美元換成4950萬$ dai，併購買了17,696美元的ETH。

The 17,696 $ETH was transferred to a new wallet "0xfcc8…6e49".https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO

17,696美元的ETH被轉移到新的錢包“ 0xfcc8…6e49” .https：//t.co/adayb3q5la pic.twitter.com/rft6zdtdwo

— Lookonchain (@lookonchain) February 24, 2025

- lookonchain（@lookonchain）2025年2月24日

The funds were then transferred to a new wallet, 0xfcc8…6e49, and split across multiple addresses, with some being initially funded into Tornado Cash, a privacy tool often used to obscure cryptocurrency transactions. However, at the time of reporting, the ETH remained unmixed, indicating ongoing efforts to trace the hacker’s movements.

然後將這些資金轉移到新錢包0xFCC8…6E49上，並在多個地址分開，其中一些人最初被資金用於龍捲風現金，這是一種隱私工具，通常用於掩蓋加密貨幣交易。但是，在報告時，ETH仍然沒有混合，表明正在努力追踪黑客的運動。

Infini’s Response

無限的回應

Launched in 2024, Infini is a digital-only neobank that offers stablecoin transactions, crypto card services, and high-yield accounts. The neobank has now issued an official statement on the security breach, stating that “all transfers, deposits, withdrawals, and payments remain in normal usage and working status.”

Infini於2024年推出，是一家僅數字化新型銀行，可提供Stablecoin交易，加密卡服務和高收益帳戶。 Neobank現在已經發表了有關安全漏洞的正式聲明，並指出“所有轉移，存款，提款和付款仍處於正常使用和工作狀態。”

We're aware of reports on a security compromise affecting Infini. We're deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment.

我們知道有關影響Infini的安全妥協的報告。我們為此感到非常抱歉 - 我們的團隊目前正在全天候調查和保護所有系統。

All transfers, deposits, withdrawals, and payments remain in normal usage…

所有轉移，存款，提款和付款仍在正常使用中……

— Infini (@0xinfini) February 24, 2025

- Infini（@0xinfini）2025年2月24日

In a post on X, Infini founder Christian Li took full responsibility for the exploit, clarifying that the breach did not result from a private key leak but rather his negligence in transferring authority from the developer to the project. “My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm… There is no problem with liquidity. Full compensation can be paid, and the funds are being traced,” he wrote.

在X上的帖子中，Infini創始人克里斯蒂安·李（Christian Li）對漏洞利用承擔了全部責任，澄清說，違規不是由私鑰洩漏造成的，而是他在將權威從開發人員轉移到項目的疏忽上。 “我的個人私鑰尚未洩漏，因此無需擔心太多。以前轉移當局時，我很疏忽。最終是我的責任。這聽起來很警報……流動性沒有問題。可以支付全額賠償，並且資金正在追踪。”他寫道。

Despite this reassurance, some on-chain analyses, including those from PeckShield, suggest a potential private key compromise, adding another layer of complexity to the investigation.

儘管保證了這種保證，但一些鏈上的分析（包括來自Peckshield的鏈分析）暗示了潛在的私鑰妥協，這為調查增加了另一層複雜性。

Impact of the Exploit

利用的影響

The exploit has raised serious questions about private key management, smart contract security, and the risks of insider threats in DeFi platforms.

該漏洞利用引發了有關私鑰管理，智能合同安全性以及在Defi平台中內部威脅的風險的嚴重問題。

As a neobank that has experienced meteoric growth, boasting a 500% monthly increase in active users since its inception, particularly after launching its crypto card campaigns, Infini now faces a critical test of its resilience. The neobank’s high-yield products, designed to attract liquidity, inadvertently provided the conditions for the exploit, amplifying the financial impact.

作為一個經歷了流離失所增長的新牛現在，自成立以來，活躍用戶每月增加500％的增長，尤其是在發起加密卡活動之後，Infini現在面臨對其彈性的重要測試。 Neobank的高收益產品旨在吸引流動性，無意中為利用提供了條件，從而擴大了財務影響。

This incident follows closely on the heels of the Bybit exchange hack, which saw a staggering $1.4 billion drained through manipulated smart contract logic. The similarity in tactics, namely splitting and mixing ETH, has led on-chain investigator ZachXBT to speculate that

這一事件緊隨Bybit Exchange Hack緊隨其後，這使經操作的智能合同邏輯耗盡了14億美元的驚人。戰術上的相似性，即分裂和混合ETH，導致鍊鍊研究者Zachxbt推測