香港Stablecoin Neobank Infini向前开发商损失了4,950万美元

违反信托岩石岩石基于香港的Stablecoin Neobank Infini，据称是保留行政访问的前开发商

A former developer of Hong Kong-based stablecoin neobank Infini is suspected of stealing nearly $50 million in a brazen exploit, according to a report by Web3 security firm ExVul on Friday.

根据Web3 Security Exvul的一份报告，总部位于香港的Stablecoin Neobank Infini的开发商涉嫌窃取近5000万美元的漏洞利用。

The stolen funds, initially present in USDC, were swiftly converted into DAI and subsequently into Ethereum (ETH) before being moved to an external wallet. This multi-step process is a common tactic used by attackers to obfuscate the trail of stolen funds. The incident underscores the persistent security vulnerabilities that plague the decentralized finance (DeFi) space.

最初出现在USDC的被盗资金迅速转化为DAI，随后转化为以太坊（ETH），然后转移到外部钱包。这个多步骤过程是攻击者用来混淆被盗资金的踪迹的一种常见策略。该事件强调了困扰分散融资（DEFI）空间的持续安全漏洞。

Infini, which recently rebranded from X-Infinity, acknowledged the security compromise in a statement posted on X (formerly Twitter), expressing deep regret for the concern caused.

Infini最近从X-Infinity重新命名，他在X（以前称为Twitter）上的一份声明中承认了安全妥协，对引起的关注表示了深刻的遗憾。

“We’re aware of reports on a security compromise affecting Infini. We’re deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment,” the company said.

“我们知道有关影响Infini的安全妥协的报告。我们为此感到非常抱歉 - 我们的团队目前正在全天候调查和保护所有系统，”该公司说。

Despite the setback, Infini reiterated its commitment to its mission: “All transfers, deposits, withdrawals, and payments remain in normal usage and working status. Despite the challenge, Infini’s vision — to redefine the future of digital finance as a crypto neo bank — has never changed. Keep building!”

尽管遇到了挫折，但英菲尼还是重申了其对任务的承诺：“所有转移，存款，提款和付款仍处于正常使用和工作状态。尽管面临挑战，Infini的愿景（重新定义了作为加密货币银行的数字金融的未来）从未改变。继续建造！”

According to ExVul's analysis, the contract used in the exploit (0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC) was created by the attacker (0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1) as part of the Infini project.

根据Exvul的分析，利用中使用的合同（0x9A79F4105A4E1A0BA0B42F25351D394FA7EE1DC）由攻击者（0xC49B5E5B5B5B9DA6666B9126B9126C1A62E62E2E9761E6B2214DE1）创建

“After the project delivery, the attacker retained administrative privileges,” ExVul noted in an X post. “After over 100 days of dormancy, the attacker utilized the previously retained privileges from the contract’s development phase.”

“在项目交付后，攻击者保留了行政特权，” Exvul在X帖子中指出。 “在休眠100天以上，攻击者利用了合同发展阶段的先前保留特权。”

The attacker first transferred a small amount of Ethereum for gas fees, then interacted with the contract to steal all of the funds, which were then converted to DAI, and later to ETH, before being transferred to an external wallet (0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49).

攻击者首先将少量的以太储物用于汽油费，然后与合同进行互动，以窃取所有资金，然后将其转换为DAI，然后转换为ETH，然后转移到外部钱包（0xFCC8911976D752752890F2140F2140D9F9F9F4EDD2C64A6E6E49）。

Infini's founder, known only as Christian, addressed the situation directly in a translated X post, revealing that a significant portion of the stolen funds belonged to major investors.

Infini的创始人（仅被称为Christian）直接在翻译后的X帖子中解决了这种情况，揭示了大部分被盗资金属于主要投资者。

“70% of the $50M stolen belonged to big investors I know. I have communicated with them one by one and I will personally bear the possible losses and settle privately,” Infini's founder said.

“在5000万美元被盗的5000万美元中，有70％属于我认识的大投资者。我已经与他们沟通了一个，我个人会承担可能的损失并私下解决。” Infini的创始人说。

He reassured other users about the remaining funds: “The remaining funds will be reinvested in Infini Vault before next Monday, and everything will remain the same. The funds have been prepared and will respond to any withdrawal requests in the meantime, so please rest assured.”

他向其他用户保证剩余的资金：“剩下的资金将在下周一之前再投资于Infini Vault，一切都将保持不变。这些资金已经准备好，并将在此期间回应任何提款请求，因此请放心。”

Christian also acknowledged the need for temporary service adjustments, saying, “Sorry, it will take some time to upgrade and restart the business. Everything will be carried out under the premise of ensuring the absolute safety of funds. Shame on you, be grateful, and we will do better.”

克里斯蒂安（Christian）还承认需要进行临时服务调整，并说：“对不起，升级和重新启动业务将需要一些时间。一切都将在确保资金绝对安全的前提下进行。对你感到羞耻，要感激，我们会做得更好。”

Infini has promised to fully reimburse all affected users, a move that may help to mitigate some of the reputational damage caused by the exploit. However, the incident serves as a powerful reminder of the critical need for rigorous security protocols, including strict access control management and comprehensive code audits, particularly within the rapidly evolving and often-targeted DeFi ecosystem.

Infini已承诺将充分偿还所有受影响的用户，此举可能有助于减轻利用造成的某些声誉损害。但是，该事件有力地提醒人们对严格的安全协议的关键需求，包括严格的访问控制管理和全面的代码审核，尤其是在快速发展且经常定位的Defi生态系统中。