On February 24, Check Point Blockchain Threat Intel System reported a complex breach targeting the decentralized finance (DeFi) platform, Infini. Infini operates as a digital banking service within the cryptocurrency realm, providing users with savings yields alongside other financial solutions. The platform’s mission is to enhance the practicality and accessibility of crypto assets for everyday transactions. Unfortunately, it recently experienced a significant security incident that compromised its yield management system, leading to the theft of around 50 million USDC. The assailant took advantage of compromised private keys, expertly manipulated access controls, and executed a series of transactions to siphon off the funds.
The Breach of Private Key Security
The attack commenced with transactions originating from the address 0xc49b5e5B9DA66B9126c1a62e9761E6b2147DE3E1, which possessed administrative rights within the protocol. Infini has indicated a belief that this private key may have been compromised. Securing private keys is one of the most formidable challenges in blockchain security. Even with stringent safety measures, advanced attackers can occasionally gain access through various methods such as phishing or malware. Without a thorough investigation, it is too early to definitively ascertain how the administrative access was acquired. With control over this key, the attacker could authorize transactions as though they were the legitimate holders, marking a crucial initial step in gaining access to the protocol.
Manipulating the Role-Based Access Control System
A review of the decompiled contract code reveals the fundamental function that governs role authorization: the compromised address had administrative rights, enabling the attacker to assign the REDEEMER_ROLE to themselves using the hacked key.
Establishing the Path for Fund Extraction
Before the attacker could withdraw any funds, they needed to register their address as a legitimate destination. The contract code outlines a vital function that registers an address in the map_4 mapping, which the withdrawal function verifies during execution. The attacker utilized the compromised key to invoke this function, thereby designating their address as a valid withdrawal destination and facilitating the exit strategy for the funds from the protocol.
The Withdrawal Mechanism
The core of this exploit lay in the ability to execute the token redemption function, identified by the hex signature 0xcfda09ef. This critical function operates by: verifying that the caller has the REDEEMER_ROLE, confirming the token’s validity, ensuring that the destination is registered, checking if the contract has sufficient tokens, and, if necessary, drawing tokens from the designated strategy before transferring them to the specified address. With the REDEEMER_ROLE and their address registered in map_4, the attacker could now invoke this function to empty the funds into their wallet.
The Attack Execution
The culmination of the attack was a transaction that executed the 0xcfda09ef function with specific parameters: when decoded, it indicated the token as 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 (USDC), with an amount of 0x0000000000000000000000000000000000000000000000000000229dc4298257, and a destination of 0x3ac96134fb0e42a52d33045aee50b89790f05ed0 (controlled by the attacker), alongside a strategy address for holding the funds.
The Bounty Proposal
In response to the incident, Infini adopted a strategy that has become more prevalent in the DeFi sector. The team sent an on-chain message to the attacker, proposing a bounty of 20% of the stolen amount (approximately 10 million USDC) should the remaining funds be returned. This message was included in a transaction directed at the attacker’s wallet. This tactic, often referred to as a “white hat agreement” or “post-factum bug bounty,” has had occasional success in recovering assets when the attacker is mainly motivated by financial gain rather than intended harm to the protocol. This approach recognizes that pursuing legal recovery of cryptocurrency can be arduous and lengthy, while providing the attacker with a legitimate opportunity for profit without facing legal repercussions. As of now, it remains uncertain whether the attacker will accept this proposal.
Key Security Takeaways
This breach underscores several vital security lessons for DeFi protocols: the significance of private key security, as this incident stemmed from a stolen key; the necessity of role separation, since the compromised account held both administrative powers and the ability to add withdrawal addresses; the importance of implementing time-locks and monitoring mechanisms to detect and potentially avert attacks; and the need for withdrawal limits to prevent a complete drain of assets in a single transaction.
Final Thoughts
This incident illustrates how seemingly distinct security weaknesses can be interconnected, leading to catastrophic outcomes. The attacker systematically: acquired a private key with administrative rights, assigned themselves the REDEEMER_ROLE, registered their address as a legitimate withdrawal destination, and executed the withdrawal function to deplete approximately 50 million USDC. Each action built upon the last, culminating in a total compromise of the protocol. Although the code included various security checks, the primary vulnerability lay in the fact that once the private key was compromised, the role-based system could be exploited from within. This situation serves as a reminder that the strength of security measures is only as robust as their weakest element, with sophisticated attackers capable of capitalizing on numerous minor vulnerabilities to achieve their objectives.
