Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
0xInfini Incident Analysis
2/26/2025
0xInfini Incident Analysis

Incident Summary

On 24 February 2025, 0xInfini was targeted by an attack that resulted in a loss of ~$49M. A key wallet used in the attack had previously been involved in the development of Infini contracts and had retained admin rights which were used to redeem all Vault tokens. 0xinfini1 The 0xInfini team have reached out to the attacker and offered 20% bounty as reward with a 48 hour deadline to return the remaining 80%.
0xinfini2 As of 27 February 2025, the stolen funds have not been returned and remain in the attacker’s wallet 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49.

Key Transactions

0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1 granted role 0x8e0b to itself: https://etherscan.io/tx/0xdb3a507855abc229610f443b06d0f0896e47e2654a76c6f3e37c6e265d1f42cd

0xc49b whitelisted attacker address: https://etherscan.io/tx/0xb12b32f4543ff0df4a4024affc51b81b773fa9f6d0fd52f2b1f65d99f105bd86

Assets taken: https://etherscan.io/tx/0xacf84c5944f662a4fcf783806993d713a150994932008e72e4e47a58d6665f7f https://etherscan.io/tx/0xecb31ff694c0e6c5e5b225c261854c0749ecf5d53c698fcda61f2d8e3db8f9fc

Attack Flow

Addresses

Compromised account: 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1 Compromised contract: 0x9a79f4105a4e1a050ba0b42f25351d394fa7e1dc Attacker: 0x3ac96134fb0e42a52d33045aee50b89790f05ed0 Attacker: 0xfcc8ad911976d752890f2140d9f4edd2c64a6e49

Step by Step

  1. Using existing permissions, the attacker (0xc49b5e5B9DA66B9126c1a62e9761E6b2147DE3E1) was able to grant role “0x8e0b“, which is exclusively used for function 0xcfda09ef(), to itself. 0xinfini3 With this role the attacker executed 0x1c8c8fe2() with 0x3ac96134fb0e42a52d33045aee50b89790f05ed0 as the input (varg0) to add the address to an allowlist.

0xinfini4

This enables the attacker to call 0xcfda09ef() and redeem all vault tokens to 0x3ac.

0xinfini5

  1. With the permissions in place, the attacker drained 0x9a79f4105a4e1a050ba0b42f25351d394fa7e1dc by calling 0xcfda09ef() with arbitrary input e0e83f21d5b6da61c9cf75d3b89fbcacfbfde327. That allowed the attacker to redeem 11,301,933 Resolv USDC and receive 11,455,666 USDC (https://etherscan.io/tx/0xacf84c5944f662a4fcf783806993d713a150994932008e72e4e47a58d6665f7f) in addition to redeeming 35,654,943 USUALUSDC+ for 35,654,943 USDC (https://etherscan.io/tx/0xecb31ff694c0e6c5e5b225c261854c0749ecf5d53c698fcda61f2d8e3db8f9fc).

0xinfini6

Vulnerability

The compromised smart contract includes a dedicated method, 0xcfda09ef(), designed to process "vault tokens" such as resolvUSDC and USUALUSDC+. This method accepts five arbitrary inputs, among which:

  • varg0 represents the amount to be redeemed,
  • varg2 specifies the recipient address,
  • varg3 corresponds to the InfiniMorphoStrategy contract, responsible for managing interactions with MorphoBlue protocols and handling the vault tokens.

0xinfini7

Besides the 0x8e0b role, the method only checks that the receiver address is listed, the token address is valid, and the strategy address is valid without requiring any additional permissions or conditions.

0xinfini8

With the admin role it’s easy to list the receiver address by calling 0x1c8c(), effectively making the admin address a single point of failure as we have seen in this incident.

Fund Flow

0x3ac96134fb0e42a52d33045aee50b89790f05ed0 was initially funded from Tornado Cash a few hours before the attack with part of the ETH sent to 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1 to cover gas fees. 0x3ac9 then received ~$49.5M USDC from the exploit.

0xinfini9

Once the funds were received, the attacker swapped USDC for DAI on Uniswap across multiple transactions (https://etherscan.io/tokentxns?a=0x3ac96134fb0e42a52d33045aee50b89790f05ed0).

0xinfini10

The attacker then converted the DAI into 17,696 ETH before transferring it to 0xfcc8ad911976d752890f2140d9f4edd2c64a6e49, where it still remains as of the writing.

0xinfini11

Conclusion

The exploit highlights a major vulnerability, demonstrating how admin privileges can become a single point of failure. One fundamental aspect of blockchain security is understanding how to protect your private keys. To gain deeper insights into this foundational security principle and its implications for protecting assets, you can explore this article.

To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.

Related Stories
Bybit Incident Technical Analysis
Blogs
Incident Analysis
On Feb-21-2025 at 02:16:11 PM UTC, the Bybit’s cold ethereum wallet was drained due to a malicious contract upgrade. This exploit resulted in an estimated loss of approximately $1.46 billion, marking the largest breach in Web3 history.
2/23/2025
XPEPE Token Incident Analysis
Blogs
Incident Analysis
On 25 January 2025, an attacker exploited a vulnerability in XPEPE’s TokenStaker contract which led to a 99% drop of the token price.
2/12/2025
Clober Dex Incident Analysis
Blogs
Incident Analysis
On 10 December 2024, Clober DEX liquidity vault on Base Network was exploited resulting in a loss of 133.7 ETH (~$501k). The root cause of the attack was a reentrancy vulnerability in the _burn() function of the Rebalancer contract. Clober made an announcement via their X account, offering a 20% bounty to the attacker.
12/11/2024
CertiK Logo
SOCISO Logo
© 2025 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSkynet ScoreTeam VerificationPenetration TestingBug BountyFormal VerificationAdvisory ServiceNode ServiceSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKLeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2025 by CertiK. All Rights Reserved.