Infini's USDC vault contract on Ethereum used role-based access control where a privileged role (later identified by its role hash `0x8e0b...`) could call a transferFunds-class function that moved the entire vault balance to an arbitrary recipient. That role was granted during deployment to an EOA controlled by a third-party contract developer who had built the initial version of the vault months earlier. After delivery the team migrated operational ownership to a multisig but never called revokeRole / renounceRole on the original developer's address — the role assignment persisted in the proxy's storage. On 2025-02-24 the developer (or someone with access to that EOA's key) signed a single transaction calling the privileged withdraw path and moved 49.5M USDC to an attacker-controlled address, which immediately swapped to DAI then ETH and laundered through Tornado Cash. The vault contract itself was not exploited; the access-control configuration was.
Classification: Protocol Logic. Technique: Dev Privilege Oversight Exploit. Target type: DeFi Protocol. Affected chains: Ethereum.
- chain
- ethereum
- protocol
- Infini
- bug_class
- logic
- date_occurred
- 2025-02-24
- loss_usd
- $49,500,000
- classification
- Protocol Logic
- technique
- Dev Privilege Oversight Exploit
- target_type
- DeFi Protocol
- source_id
- dl:adhoc:infini:1740355200