Incident Review: $49.5 Million Stolen and Infini’s Crisis Response

On February 24, 2025, blockchain security firm Certik detected a suspicious fund transfer of approximately $49.5 million on the Ethereum chain, which was eventually converted into DAI stablecoin. After an investigation by the DeFi community group YAM, it was confirmed that the stolen funds originated from Infini’s yield aggregation protocol, Morpho MEV Capital Usual USDC Vault. This marks another major security incident in the crypto industry, following the Bybit hack just four days earlier.
The Infini team released a statement within four hours of the incident, promising to compensate users for their full losses and revealing that they had located the involved engineer and reported the case to the police. Although financial services were paused, the withdrawal function remained operational. Founder Christian mentioned, “All user withdrawal requests, totaling $500,000, have been processed.” This rapid response mechanism provides a crisis management model for the industry but also highlights vulnerabilities in DeFi protocols, particularly around smart contract audits and permission management.

The picture is from X

Technical Vulnerability Analysis: Unverified Contracts and Fund Flow

According to Certik’s analysis, the attacker exploited an unverified smart contract within the Infini yield pool, disguising the attack as a legitimate transaction for fund transfer. This attack method is similar to the October 2024 hack involving NFT artist DeeKay’s wallet, both originating from a lack of protocol-level permission control.
It is worth noting that the stolen funds did not follow the usual hacker pattern of flowing into a mixer or cross-chain bridge, but were instead directly converted into DAI and deposited into a centralized exchange. This unusual action led to two speculations:

  1. The attacker may have aimed to reduce asset traceability by using a stablecoin for quick liquidation.
  2. There could be insider involvement, with funds directed to a pre-designated “safe account.”
    Infini has not disclosed concrete evidence of engineer involvement, but industry experts point out that DeFi projects should establish dual verification and decentralized governance mechanisms to avoid single points of failure.

Industry Ripple Effects: User Trust Crisis and Regulatory Pressure

The Infini incident triggered a chain reaction within the DeFi sector:

  1. Market Panic: After the news broke, Bitcoin dropped by 3.5% within 24 hours, and the total value locked (TVL) of Ethereum DeFi protocols decreased by $1.2 billion in a single day.
  2. Regulatory Involvement: The European Securities and Markets Authority (ESMA) announced that it would revise the Markets in Crypto-Assets (MiCA) regulation, requiring DeFi platforms to have mandatory insurance and risk reserves.
  3. User Concerns: The continuous hacks of centralized and decentralized exchanges left users uncertain about where to safely engage.

Security Recommendations: Lessons Learned from the Infini Incident

To reduce similar risks, both users and platforms can adopt the following measures:

  • Cold/Hot Wallet Isolation: Store over 90% of assets in hardware wallets and only keep necessary funds in hot wallets.
  • Contract Audit Upgrades: Choose smart contract projects certified by JuCoin Labs and avoid participating in unverified protocols.
  • Real-time Monitoring Tools: Use on-chain alert systems (e.g., Certik Skynet) to track large, unusual transactions and take prompt action to minimize losses.

For DeFi platforms, establishing a transparent fund flow disclosure mechanism and partnering with third-party insurance services will be key to rebuilding market trust.

Future Outlook: How DeFi Platforms Can Restore Market Confidence

The Infini incident has accelerated the iteration of industry security standards. Some exchanges, such as JuCoin, have launched “Security Partner Programs” to provide real-time risk control support to integrated DeFi protocols. At the same time, the decentralized insurance protocol Nexus Mutual has announced plans to develop customized policies for MEV attacks, expected to launch in Q2 of 2025.
In the long run, the sustainable development of DeFi requires a balance between innovation and security. Users can stay updated on industry trends through this blog and prioritize evaluating the security architecture of new protocols over short-term gains. Only by building a multi-party collaborative defense system can the crypto ecosystem move toward maturity and stability.

Neason Oliver

分享