How a Single Access Control Flaw Cost Infini $49.5M?

On 24th february, Infini, a prominent player in the DeFi space, found itself at the center of a massive security breach.

A hacker managed to siphon off a staggering $49.5 million from the Morpho MEVCapital USDC Vault.

The exploit was swift, calculated, and devastating.

Let’s break down what happened, how it happened, and what we can learn from this incident.

The exploit was a classic case of compromised access and privilege escalation. Here’s the play-by-play:

1. The Private Key Breach:

   The hacker (0x3ac96134Fb0e42a52D33045AeE50b89790f05Ed0) gained access to a private key associated with the account 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1. This account had been granted a special role (0x8e0b) that allowed it to withdraw funds from the vault.
   

2. The Two-Punch Drain:

   The attacker executed two transactions:

   • First, they withdrew $11.45 million.
   • Then, in a second transaction, they drained an additional $38.06 million.

   The total haul? $49.5 million.

3. The hacker didn’t just sit on the stolen USDC. They quickly swapped the entire amount into DAI and then converted it into 17,696 ETH (worth approximately $49 million at the time).
   
4. The funds were moved to the wallet 0xfcc8...6e49, where they currently sit. As of now, the hacker hasn’t used any mixers or further obfuscation techniques, which might give Infini a fighting chance to trace and recover the funds.

The blame game is always tricky in these situations, but let’s break it down:

1. The Founder’s Admission:

   Christian, the founder of Infini, took responsibility for the breach.

   He clarified that his personal private key wasn’t leaked but admitted to being negligent when transferring contract authority. His exact words:

   "My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm."

1. The Unverified Contract:

   The exploit involved an unverified contract on the Ethereum mainnet (0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC). Unverified contracts are like black boxes—nobody knows what’s inside unless the creator reveals the code. This lack of transparency likely played a role in the breach.

2. The Hacker’s Playbook:

   The hacker’s moves were methodical and well-executed. They exploited the compromised account, drained the funds, and swiftly converted them into ETH to make tracing more difficult.

Infini is now in damage control mode. Here’s what they’re doing:

1. Tracing the Funds:

   The team is working to trace the stolen ETH. Since the funds haven’t been mixed or moved further, there’s a glimmer of hope for recovery.

2. Reimbursing Users:

   In the worst-case scenario, Infini has committed to reimbursing all affected users. This is a bold move and shows they’re taking responsibility for the breach.

3. Strengthening Security:

   This incident has been a wake-up call for Infini. They’re likely reviewing their security protocols, especially around contract authority transfers and private key management.

The Infini hack is a stark reminder of the risks in the DeFi space. Here are some key takeaways:

1. Private Keys Are Sacred:

   Compromised private keys can lead to catastrophic losses. Always store them securely and limit access to trusted individuals.

2. Verify Your Contracts:

   Unverified contracts are a red flag. Always ensure contracts are transparent and audited before interacting with them.

3. Limit Privileges:

   Granting excessive permissions to accounts is a recipe for disaster. Implement role-based access controls to minimize risk.

4. Act Fast, But Don’t Panic:

   In the event of a breach, swift action is crucial. However, transparency and accountability (like Infini’s commitment to reimbursing users) can help rebuild trust.