0xInfini Incident Analysis

On 24 February 2025, the Infini protocol was exploited when a compromised admin account granted itself a privileged role (0x8e0b), added an allowlisted receiver, and invoked a redemption function (0xcfda09ef) to drain vault tokens. The attacker redeemed ~11.3M resolvUSDC and ~35.65M USUALUSDC+ for ~\$49M USDC, swapped funds through DAI into ~17,696 ETH, and consolidated proceeds in wallet 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49. The report provides transaction links, affected addresses, and identifies the root cause as administrative privileges creating a single point of failure.