Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 222Private Key Compromise

Infini Retained-Admin Drain

$49.5M drained from Infini's Morpho MEVCapital USDC vault by the address that built the contract and quietly retained admin authority after launch.

Date
Victim
Infini
Chain(s)
Ethereum
Status
Funds Stolen
Attribution
Original Infini smart-contract developer

On February 24, 2025, the stablecoin neobank Infini lost $49.5 million in two transactions from its Morpho MEVCapital USDC vault. The address that drained the vault was not an external attacker — it was the wallet that had originally developed the contract, retaining a privileged withdrawal role that the Infini team did not know existed.

What happened

Infini's vault was deployed via the Morpho protocol, a permissionless lending market on Ethereum. As part of the deployment, a specific address — 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, controlled by the original smart-contract developer — was granted a privileged role that allowed it to withdraw funds from the vault directly.

After launch, this role was not revoked. The Infini team operated under the (incorrect) assumption that ownership and operational control of the vault had transferred entirely to them. The original developer's address sat dormant for months.

On February 24:

  1. The developer-controlled address called the privileged withdraw function and pulled $11.45M from the vault.
  2. In a second transaction, they pulled another $38.06M.
  3. The combined $49.5M was swapped to DAI, then to 17,696 ETH ($49M at the time), and bridged to anonymising routes.

Infini's founder Christian later clarified publicly that the incident was not a private-key leak in the traditional sense — the attacker was the legitimate holder of the key that controlled the privileged role. The compromise was that the role itself was never supposed to exist in production.

Aftermath

  • Infini paused vault operations and offered the attacker a 20% bounty for return of funds. No return.
  • The team committed to 100% user reimbursement from corporate reserves.
  • Forensic firms and on-chain investigators identified the developer wallet as the originator of the vault's deployment contract — a clear inside operator profile.

Why it matters

Infini is the cleanest 2025 case for vendor-developer-key risk in DeFi. Many DeFi protocols are deployed by external development shops or freelance smart-contract engineers who, in the deployment process, give themselves privileged roles for testing — and forget to revoke them, or are not asked to. The defensive answer is well-known and rarely followed:

  • Deployment scripts must explicitly revoke all deployer-held roles as the final step.
  • Post-deployment audits should enumerate every privileged role and confirm its expected holder before going live.
  • On-chain monitoring should alert on any dormant-role activity after a defined inactivity window.

Infini's $49.5M was the price of skipping all three checks.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-infini-hack-february-2025
  2. [02]theblock.cohttps://www.theblock.co/post/342911/stablecoin-neobank-infini-exploited-for-49-million-security-analysts
  3. [03]quillaudits.comhttps://www.quillaudits.com/blog/hack-analysis/how-infini-lost-49-million-in-a-defi-hack

Related filings