The story of the Infini hack begins several months earlier in 2024 when the project hired an anonymous developer to create and deploy its smart contracts. The code was launched on-chain as an unverified smart contract, meaning that there wasn’t corresponding source code released on GitHub that was demonstrated to match the compiled code. As a result, the full functionality of the contract was largely unknown.

When the developer created and deployed this contract, they included a special role (0x8e0b) that provided the right to drain all of the funds from the contract’s vault. This role was granted to a particular blockchain address that was breached and under the rogue developer’s control. Then, they waited for 114 days until the contract that they created and deployed held enough assets.

When the attacker struck, they were able to drain approximately $50 million from the project across two transactions. The USDC withdrawn from the vault was swapped to DAI to prevent blocklisting and later converted to approximately 17.7k ETH. The attacker also covered their tracks by sending the stolen assets through the Tornado Cash laundering service.

The Infini hack is an example of a DeFi hack enabled by poor security practices more than vulnerable code. While the Infini smart contract contained what amounted to a backdoor — a special role able to drain the value stored in a value — the attacker was a former insider with access to a compromised key and knowledge of the structure of this unverified smart contract.

The Infini hack could have been prevented by implementing various DeFi security best practices. If the privileged account had been managed by a multi-sig wallet, then the rogue developer would have needed access to multiple keys to carry out their attack. If the smart contract had been verified or audited, the “backdoor” access role likely would have been found. If access provided to developers had been automatically revoked after contract launch, the attacker would have lacked the privileges to steal the funds.

DeFi security is more than just smart contract audits. DeFi hackers are increasingly targeting off-chain security gaps and weak processes. For advice on how to secure your protocol against these types of threats, reach out to Halborn.