CrediX Finance Faces 4.5M Exploit (Exit Scam Analysis)

CrediX Finance, a lending protocol built on the Sonic blockchain, suffered a $4.5 million exploit on August 4, 2025, just weeks after its launch in July. What initially appeared to be a security breach has since evolved into strong suspicions of an exit scam, with the protocol's team completely disappearing after promising full recovery of stolen funds. The incident highlights critical vulnerabilities in decentralized finance (DeFi) governance systems. It raises serious questions about insider involvement, particularly given the methodical preparation that preceded the attack and the team's subsequent vanishing act.
 

Hack Analysis

1. Six days before the exploit, the attacker gained full administrative access via CrediX’s ACLManager contract in transaction 0x0cc3520951a2b41281dcc9a0d37ef3f7f139b75675d83ae72e3b8e903334f35e. This was done by a potentially compromised or possibly CrediX’s own admin EOA (0x0dd010513F7abB8F9c628dC164a24D953BCA09Cf). As a result, the attacker account (0xF321683831Be16eeD74dfA58b02a37483cEC662e) was granted several high-impact privileges :
   • POOL_ADMIN_ROLE: Complete control over lending pool operations and parameters
   • BRIDGE_ROLE: Cross-chain bridge functionality with minting capabilities
   • ASSET_LISTING_ADMIN_ROLE: Authority to list and manage protocol assets
   • EMERGENCY_ADMIN_ROLE: Emergency protocol shutdown and recovery powers
   • RISK_ADMIN_ROLE: Risk parameter adjustment and management authority
     
     
2. The attacker exploited the BRIDGE_ROLE to create unbacked acUSDC and acscUSD tokens directly within the protocol’s lending pools. By calling the mintUnbacked function without providing any underlying USDC collateral, they effectively manufactured tokens out of nothing. In total, the attacker minted 2,500,000 acUSDC and 3,250,000 acscUSD.
   
   
    
3. Using the freshly minted, unbacked acUSDC tokens as collateral, the attacker executed large-scale borrowing from the protocol’s legitimate asset pools. Because the smart contracts were unable to distinguish between legitimately backed tokens and the artificially created ones, the collateral was accepted as valid. In total, the attacker borrowed the following amounts (in USD value):
   1. USDC: $2,036,501.00
   2. scUSD: $1,160,000.00
   3. wS: $1,343,322.06
   4. stS beets staked: $55,577.99
   5. WETH: $45,557.99
      
      
       

Root Cause

The attacker, an insider, held high-level roles including POOL_ADMIN_ROLE, BRIDGE_ROLE, EMERGENCY_ADMIN_ROLE, RISK_ADMIN_ROLE, and ASSET_LISTING_ADMIN_ROLE, giving them unrestricted control over the protocol. No smart contract vulnerability was exploited; instead, the protocol’s core functionality was abused through concentrated administrative privileges.

Accounting

Relevant Address and Transactions

• Attacker Address: 0xf321683831be16eed74dfa58b02a37483cec662e
• Setup Transaction of Role Granting: 0x0cc3520951a2b41281dcc9a0d37ef3f7f139b75675d83ae72e3b8e903334f35e
• CrediX Victim Pool 1: 0x0850A9759165B25832E2cAa3dB3f2d04dc583D4E
• CrediX Victim Pool 2: 0x56eb1bcB2aA011517fD7bf32641E79Bd8471770e

Funds Flow Post Attack

The attacker converted multiple borrowed assets into USDC and bridged them to Ethereum via the deBridge protocol. 300 ETH has been laundered through Tornado Cash, while the remaining ETH is still held across the following Ethereum addresses:

• 0xea39a99090d7f8f7f8f9a88dd730c452dcd6dbba
• 0xc4662b3313333d18a3f49aee24972185114150b6
• 0x14C49c7C3992F3dD4bb001aAe5eaE52972eD7aC7
   

Post Attack Mitigation

CrediX's post-attack response followed a concerning pattern that ultimately led to exit scam accusations:

Initial Response (August 4-5, 2025): CrediX initially acknowledged the breach and took its website offline to prevent additional deposits. The team promised that All users' funds will be recovered in full within 24-48 hours and claimed they had reached a successful parley with the exploiter, who agreed to return funds in exchange for payment from the protocol's treasury.

Communication Breakdown (August 8, 2025): Rather than fulfilling their recovery promises, the CrediX team completely disappeared. The protocol's website remained offline, their X (Twitter) account went inactive, and their official Telegram channel was deleted. No recovery plan was ever published, and no funds were returned to users.

Stability DAO stepped in to coordinate recovery efforts, announcing plans to file a formal legal report with authorities. The DAO confirmed it had obtained KYC information for two CrediX team members and would include this in their legal submission to cybercrime units.
 

Conclusion

The CrediX Finance incident underscores the critical risks posed by excessive centralization of administrative privileges in DeFi protocols. This was not a case of exploiting a technical flaw in smart contracts but rather a deliberate abuse of governance authority, most likely by an insider or with insider collusion. The well-orchestrated granting of high-impact roles, rapid execution of the exploit, and subsequent disappearance of the team strongly indicate an exit scam. This event highlights the urgent need for stricter access controls, multi-signature governance, and transparent operational oversight to safeguard protocol integrity and user assets in decentralized finance.

At QuillAudits, we specialize in uncovering such governance risks before they turn into multimillion-dollar disasters. Through comprehensive smart contract audits and rigorous administrative privilege assessments, we help DeFi projects build resilient security frameworks that protect both protocol assets and community trust.