What Happened

Infini — 2025 Backtest

$49.5M|Smart Contract Exploit|February 24, 2025

Former developer retained privileged admin EOA role (0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1) over the unverified vault contract after deployment. The developer exploited this retained access to withdraw all user funds in a single transaction. The founder later acknowledged 'negligence in the authority transfer process'. Funds routed through Railgun mixer.

What Hindenrank Would Have Said

As of January 15, 2025

D+
Risk Score
58/100

Infini's architecture as of January 2025 represents one of the most dangerous centralization risk profiles in DeFi: a growing yield product backed by unverified smart contracts, controlled by a single anonymous developer's private key, with no multisig, no timelock, and no verifiable audit trail. The regulatory risk and documentation quality scores alone justify a D+ rating. Extreme caution warranted.

Mechanism Novelty6/15
Interaction Severity16/20
Oracle Surface4/10
Documentation Quality10/10
Track Record3/15
Scale Exposure3/10
Regulatory Risk10/10
Protocol Vitality6/10

Grade Predicted This Failure

Flagged by dimensions: Interaction Severity, Documentation Quality, Regulatory Risk

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

  1. 1.Primary vault smart contract (0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC) deployed November 2024 and UNVERIFIED on Etherscan — source code not publicly available
  2. 2.Single anonymous developer holds privileged admin EOA role over all vault funds — no multisig, no timelock, no revocation mechanism
  3. 3.No verifiable published audit reports despite marketing claims of 'multiple audits' — no named auditor or report links
  4. 4.Card product suspended within weeks of June 2024 launch due to compliance costs — operational fragility signal
  5. 5.No DAO, governance token, or community oversight — founder and anonymous developer hold unilateral control

Collapse Scenarios

Admin Key Compromise or Insider Drain

Elevated
Trigger

Anonymous developer retains privileged admin EOA role and either (a) is coerced, (b) turns malicious, or (c) suffers private key compromise — triggering a single-transaction drain of all vault funds.

Cascade
1.
Admin EOA private key is compromised (phishing, social engineering, insider intent, or infrastructure breach)Attacker now controls the single account with unrestricted withdrawal rights over all Infini vault assets
2.
Single transaction withdraws all USDC/USDT from Morpho, Ethena, and Usual positionsAll user funds drained in under 30 seconds; no multisig delay, no governance vote, no circuit breaker
3.
Funds routed through mixers (Tornado Cash / Railgun) before team can respondFunds unrecoverable; depositors face total loss
4.
Infini team acknowledges incident; attempts white-hat recoveryRecovery highly unlikely given lack of any timelock or on-chain pause mechanism; reputation destroyed
Historical Precedent

Numerous CeDeFi protocols have suffered admin key compromises: Mango Markets governance attack ($114M, Oct 2022), Multichain ($126M, Jul 2023) — both involved centralized control by a small group without multisig protection.

Underlying Protocol Cascade Failure

Moderate
Trigger

One of Infini's three yield sources (Morpho curated vault, Ethena sUSDe, Usual USD0) suffers a significant loss event; Infini's smart contracts cannot automatically withdraw and protect users due to lack of circuit breakers.

Cascade
1.
Ethena's sUSDe delta-neutral strategy loses its peg during extreme funding rate reversal or exchange risk eventInfini's sUSDe allocation loses value; the portion of user funds in this strategy is impaired
2.
Infini's smart contracts have no automatic rebalancing or circuit breaker — manual admin intervention requiredTeam must manually respond, but unverified contract means response speed depends entirely on admin EOA availability
3.
Users attempt to withdraw during stress event; Infini's withdrawal reserves depletedPartial bank run; team either halts withdrawals (further panic) or forces redemption at loss
4.
Loss event becomes public; full bank run ensuesAll user funds at risk of partial loss if underlying strategies are impaired
Historical Precedent

Nexus Mutual (2020) and various yield aggregators have experienced cascading failures when underlying protocol exploits propagated through aggregation layers. The Infini model is more centralized but the dependency chain is similar.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View LeaderboardAll Backtests