Full Report
By: Dikla Barda, Roaman Zaikin & Oded Vanunu On February 24, Check Point Blockchain Threat Intel System observed a sophisticated attack on a DeFi protocol, Infini. Infini is a digital banking platform in the crypto space that offers its users savings yields and other financial services. The platform aims to make crypto assets more accessible […] The post How an Attacker Drained $50M from a DeFi Protocol Through Role Escalation appeared first on Check Point Research.
Analysis Summary
# Incident Report: DeFi Protocol Infini Funds Drain via Compromised Admin Key
## Executive Summary
A sophisticated attacker targeted the DeFi protocol Infini, exploiting a compromised administrative private key to gain control over the system's role-based access control. By leveraging administrative privileges, the attacker granted themselves withdrawal permissions, registered an output address, and subsequently drained approximately 50 million USDC from the yield management system. Infini attempted to recover the funds by offering the attacker a 20% bounty.
## Incident Details
- Discovery Date: February 24 (Observed by Check Point)
- Incident Date: February 24
- Affected Organization: Infini (Digital banking platform in the crypto space)
- Sector: Decentralized Finance (DeFi) / Crypto
- Geography: Undisclosed (Blockchain-based)
## Timeline of Events
### Initial Access
- Date/Time: On or before February 24
- Vector: Compromised Administrative Private Key
- Details: An attacker obtained a private key associated with an address ($\text{0xc49b5e5B9DA66B9126c1a62e9761E6b2147DE3E1}$) holding administrative privileges in the protocol.
### Lateral Movement
- Date/Time: During attack execution
- Vector: Manipulation of Role-Based Access Control (RBAC)
- Details: Using the compromised key, the attacker called a function to grant themselves the $\text{REDEEMER\_ROLE}$ within the contract, establishing the necessary permission for fund withdrawal.
### Data Exfiltration/Impact
- Date/Time: During attack execution
- Vector: Exploitation of Token Redemption Function
- Details: The attacker registered their external address ($\text{0x3ac96134fb0e42a52d33045aee50b89790f05ed0}$) as a valid destination, and then called the withdrawal function ($\text{0xcfda09ef}$) to drain approximately 50 million USDC from the yield strategy contract to the attacker-controlled wallet.
### Detection & Response
- Date/Time: February 24 (Discovery by Check Point)
- Details: The attack was detected through transaction monitoring. Post-incident, Infini immediately published an on-chain message to the attacker offering a 20% bounty (10 million USDC) for the return of remaining funds, acknowledging the difficulty of tracing and recovering stolen crypto assets.
## Attack Methodology
- Initial Access: Compromised Administrative Private Key (Phishing, malware, or other vector presumed, but unconfirmed).
- Persistence: Not explicitly detailed, but the configuration changes (role assignment and destination registration) served as persistence for the successful withdrawal execution.
- Privilege Escalation: Not required, as the initial access point already held administrative privileges. The attacker escalated control by granting themselves the specific $\text{REDEEMER\_ROLE}$.
- Defense Evasion: The attack leveraged legitimate, built-in functions of the smart contract, making rapid detection via simple anomaly analysis challenging if the primary vulnerability was key compromise.
- Credential Access: Compromise of the sensitive administrative private key.
- Discovery: The attacker likely used decompiled contract analysis to identify the necessary steps: role assignment and destination registration.
- Lateral Movement: Within the context of the smart contract, the attacker moved from possessing an admin key to possessing the $\text{REDEEMER\_ROLE}$ and a valid destination address.
- Collection: Identifying the USDC tokens held in the yield strategy.
- Exfiltration: Direct transfer ($\text{0xcfda09ef}$) of $\sim$50M USDC to the attacker's wallet ($\text{0x3ac96134fb0e42a52d33045aee50b89790f05ed0}$).
- Impact: Direct financial loss of $\sim$50 million USDC.
## Impact Assessment
- Financial: Loss of approximately 50 million USDC. (Bounty offered: 10 million USDC).
- Data Breach: N/A (Financial protocol compromise, data theft not the primary outcome).
- Operational: Significant disruption to the DeFi banking platform and loss of user trust.
- Reputational: Major negative impact on the protocol's standing in the crypto space.
## Indicators of Compromise
- Network indicators: Transactions originating from the administrative address ($\text{0xc49b5e5B9DA66B9126c1a62e9761E6b2147DE3E1}$) executing unauthorized administrative functions.
- File indicators: N/A (On-chain event).
- Behavioral indicators: Contract calls granting $\text{REDEEMER\_ROLE}$ to an address, followed immediately by a large-scale withdrawal transaction ($\text{0xcfda09ef}$).
## Response Actions
- Containment: Immediate cessation of further fund draining via the exploited functions, likely requiring protocol pausing or governance intervention, although the incident description focuses on the aftermath.
- Eradication: Not explicitly detailed, but likely included invalidating the compromised key/address and potentially disabling the exploited administrative functions until fixes were implemented.
- Recovery: Attempted recovery via offering an on-chain bounty of 20% of stolen funds to the attacker.
## Lessons Learned
- Private Key Security is Paramount: The entire attack hinged on the compromise of a single private key holding critical administrative rights. Hardware wallets and multi-signature requirements ($\text{multi-sig}$) are essential for such high-value keys.
- Separation of Duties: The administrative account held privileges capable of changing roles *and* authorizing withdrawal paths, allowing a single compromise to lead directly to unauthorized fund movement. Better segregation of duties is required.
- Lack of Safeguards: The absence of monitoring, time-locks on sensitive administrative changes, and hard withdrawal limits allowed the attacker to drain the assets in a single, catastrophic transaction.
## Recommendations
- Implement Threshold Signatures: Mandate multi-signature wallets for all administrative key actions that affect system roles or fund movements.
- Enforce Time-Locks: Place mandatory time-delays on critical operations (like role assignment or destination registration) to allow for internal monitoring and emergency intervention before the changes take effect.
- Establish Withdrawal Limits: Implement sensible capping mechanisms on token redemption functions to prevent single-transaction draining of reserves, even in the event of a successful compromise.
- Enhance Key Management: Review all procedural and technical measures surrounding private key storage, especially for admin or governance signing keys.