Infini Suffers $49M USDC Exploit as Attacker Abuses Retained Admin Privileges

Infini, a well-known DeFi platform, has recently experienced a significant exploit. As per data from Cyvers Alerts, a blockchain security platform, Infini has gone through a $USDC breach. The attack has incurred $49M as the attacker abused retained admin privileges. The blockchain security platform took to social media to disclose this incident.

🚨ALERT🚨Today, @0xinfini suffered a $49M $USDC exploit due to an attacker abusing retained administrative privileges.
The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the contract as part of the Infini project. However, after… pic.twitter.com/olguOyNCJr
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 24, 2025

Attacker Exploits Unrevoked Admin Privileges to Draine $49M $USDC from Infini

Cyvers Alerts associates the exploit of Infini with the abuse of reserved admin privileges by the attacker. Particularly, the attacker exploited the respective privileges in the smart contract of Infini. The blockchain security firm revealed “0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1” as the attacker’s wallet address. The attacker had reportedly been engaged in the establishment of the smart contract of Infini. Following that, the smart contract was delivered to Infini’s project team. Nonetheless, the developer security had reserved administrative access. The respective loophole permitted the attacker to exploit the smart contract.

Hence, a considerable time after the launch of the project, the attacker exploited it. Approximately, the attacker executed this exploit up to one hundred days following the project’s completion. Hence, the attacker initiated a scheme by funding address via Tornado Cash which is a privacy-focused crypto mixer to obfuscate transfer trails. Subsequently, the exploiter sent a minor $ETH transfer to recompense the gas fee for the exploit’s execution. Ultimately, the attacker drained the whole fund of Infini through the smart contract.

DeFi Projects Need Preemptive Measures to Prevent Future Attacks

According to Cyvers Alerts, the Infini exploit highlights inadequate access control processes as well as a failure to invalidate administrative privileges. Hence, the teams behind the DeFi projects should pay considerable head to such loopholes to avoid exploits. Additionally, there is a requirement for real-time threat discovery, proactive security observation, routine audits, and strict access control mechanisms.

Source: https://blockchainreporter.net/infini-suffers-49m-usdc-exploit-as-attacker-abuses-retained-admin-privileges/