Infini (Crypto Neobank): Retained Admin Privileges — Rogue Developer Backdoor
A rogue developer who built Infini's neobank vault retained admin withdrawal privileges and waited 114 days before draining $49.5M in USDC, converting to DAI then ETH to launder.
Summary #
Infini (Crypto Neobank) suffered a Yield / Savings (Neobank — Morpho vault depositor) on 2025-02-24, resulting in a loss of approximately $50M.
What happened #
A rogue developer who built Infini's neobank vault retained admin withdrawal privileges and waited 114 days before draining $49.5M in USDC, converting to DAI then ETH to launder.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No (contract deployed 114 days prior)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No (contract deployed 114 days prior)]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
- RD-F-043 — causal : ★ Admin = deployer EOA + no multisig transfer within 7 days [via cross-hack: Factor 24: Retained Developer Admin Role Post-Deployment]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: 1 ETH Tornado Cash → new wallet immediately before attack; exploit contract deployment from rogue dev address]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — privileged role invocation was the entire attack mechanism]