Infini Hack：香港Stablecoin Neobank在毁灭性的漏洞中损失了4950万美元，强调Defi漏洞

2025年2月24日，Infini是一家位于香港的Stablecoin Neobank，将加密货币与传统金融融合在一起，经历了毁灭性的安全漏洞

Hong Kong stablecoin neobank Infini was reportedly breached on February 24, with the attacker making away with approximately $49.5 million in USD Coin (USDC) as earlier reported.

据报道，香港Stablecoin Neobank Infini在2月24日被违反，袭击者赚了大约4950万美元的美元硬币（USDC），如前所述。

Blockchain security firm CertiK first flagged the exploit at 3:18 AM UTC, sending ripples of concern through the decentralized finance (DeFi) community. The incident highlights persistent vulnerabilities in the crypto space, especially following the recent $1.4 billion Bybit hack on February 21.

区块链安全公司Certik首先在UTC上午3:18标记了漏洞利用，并通过分散的金融（DEFI）社区引起了人们的关注。该事件突出了加密货币领域的持续漏洞，尤其是在2月21日最近14亿美元的Bybit Hack之后。

The Infini Attack

Infini攻击

The attack targeted an Infini-related smart contract on the Ethereum blockchain, specifically the address 0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC.

这次攻击针对以太坊区块链上的Infini相关智能合约，特别是地址0x9A79F4105A4E1A050BA0BA0B42F25351D394FA7E1DC。

According to security analysts from CertiK, Cyvers, Blocksec, and PeckShield, a hacker gained unauthorized access by exploiting retained administrative privileges within the contract. The attacker, operating from the address 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the smart contract for Infini but retained control, unbeknownst to the project.

根据Certik，Cyvers，Blocksec和Peckshield的安全分析师的说法，黑客通过利用合同中保留的行政特权获得了未经授权的访问。攻击者从地址运行0xC49B5E5B9DA66B9126C1A62E9761E6B2147DE3E1最初开发了Infini的智能合同，但保留了控制，但对该项目不受欢迎。

This insider access allowed the hacker to manipulate the contract’s settings, ultimately draining $49.5 million in USDC from what is believed to be the Morpho MEV Capital Usual USDC Vault.

此内部人士访问使黑客可以操纵合同的设置，最终从据信是Morpho Mev Capital常规USDC库中损失了4,950万美元的USDC。

After the theft, the hacker swiftly converted the stolen USDC into Dai (DAI) and then purchased 17,696 Ethereum (ETH), valued at around $49 million at the time.

盗窃后，黑客迅速将被盗的USDC转换为DAI（DAI），然后购买了17,696个以太坊（ETH），当时价值约4,900万美元。

It seems that the stablecoin bank @0xinfini was hacked and 49.5M $USDC was stolen.

似乎Stablecoin银行 @0xinfini被黑客入侵，4950万美元被盗。

The hacker swapped 49.5M $USDC for 49.5M $DAI and bought 17,696 $ETH.

黑客将4950万美元的4950万美元换成4950万$ dai，并购买了17,696美元的ETH。

The 17,696 $ETH was transferred to a new wallet "0xfcc8…6e49".https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO

17,696美元的ETH被转移到新的钱包“ 0xfcc8…6e49” .https：//t.co/adayb3q5la pic.twitter.com/rft6zdtdwo

— Lookonchain (@lookonchain) February 24, 2025

- lookonchain（@lookonchain）2025年2月24日

The funds were then transferred to a new wallet, 0xfcc8…6e49, and split across multiple addresses, with some being initially funded into Tornado Cash, a privacy tool often used to obscure cryptocurrency transactions. However, at the time of reporting, the ETH remained unmixed, indicating ongoing efforts to trace the hacker’s movements.

然后将这些资金转移到新钱包0xFCC8…6E49上，并在多个地址分开，其中一些人最初被资金用于龙卷风现金，这是一种隐私工具，通常用于掩盖加密货币交易。但是，在报告时，ETH仍然没有混合，表明正在努力追踪黑客的运动。

Infini’s Response

无限的回应

Launched in 2024, Infini is a digital-only neobank that offers stablecoin transactions, crypto card services, and high-yield accounts. The neobank has now issued an official statement on the security breach, stating that “all transfers, deposits, withdrawals, and payments remain in normal usage and working status.”

Infini于2024年推出，是一家仅数字化新型银行，可提供Stablecoin交易，加密卡服务和高收益帐户。 Neobank现在已经发表了有关安全漏洞的正式声明，并指出“所有转移，存款，提款和付款仍处于正常使用和工作状态。”

We're aware of reports on a security compromise affecting Infini. We're deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment.

我们知道有关影响Infini的安全妥协的报告。我们为此感到非常抱歉 - 我们的团队目前正在全天候调查和保护所有系统。

All transfers, deposits, withdrawals, and payments remain in normal usage…

所有转移，存款，提款和付款仍在正常使用中……

— Infini (@0xinfini) February 24, 2025

- Infini（@0xinfini）2025年2月24日

In a post on X, Infini founder Christian Li took full responsibility for the exploit, clarifying that the breach did not result from a private key leak but rather his negligence in transferring authority from the developer to the project. “My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm… There is no problem with liquidity. Full compensation can be paid, and the funds are being traced,” he wrote.

在X上的帖子中，Infini创始人克里斯蒂安·李（Christian Li）对漏洞利用承担了全部责任，澄清说，违规不是由私钥泄漏造成的，而是他在将权威从开发人员转移到项目的疏忽上。 “我的个人私钥尚未泄漏，因此无需担心太多。以前转移当局时，我很疏忽。最终是我的责任。这听起来很警报……流动性没有问题。可以支付全额赔偿，并且资金正在追踪。”他写道。

Despite this reassurance, some on-chain analyses, including those from PeckShield, suggest a potential private key compromise, adding another layer of complexity to the investigation.

尽管保证了这种保证，但一些链上的分析（包括来自Peckshield的链分析）暗示了潜在的私钥妥协，这为调查增加了另一层复杂性。

Impact of the Exploit

利用的影响

The exploit has raised serious questions about private key management, smart contract security, and the risks of insider threats in DeFi platforms.

该漏洞利用引发了有关私钥管理，智能合同安全性以及在Defi平台中内部威胁的风险的严重问题。

As a neobank that has experienced meteoric growth, boasting a 500% monthly increase in active users since its inception, particularly after launching its crypto card campaigns, Infini now faces a critical test of its resilience. The neobank’s high-yield products, designed to attract liquidity, inadvertently provided the conditions for the exploit, amplifying the financial impact.

作为一个经历了流离失所增长的新牛现在，自成立以来，活跃用户每月增加500％的增长，尤其是在发起加密卡活动之后，Infini现在面临对其弹性的重要测试。 Neobank的高收益产品旨在吸引流动性，无意中为利用提供了条件，从而扩大了财务影响。

This incident follows closely on the heels of the Bybit exchange hack, which saw a staggering $1.4 billion drained through manipulated smart contract logic. The similarity in tactics, namely splitting and mixing ETH, has led on-chain investigator ZachXBT to speculate that

这一事件紧随Bybit Exchange Hack紧随其后，这使经操作的智能合同逻辑耗尽了14亿美元的惊人。战术上的相似性，即分裂和混合ETH，导致链链研究者Zachxbt推测