CrediX Finance Suffers 4.5 Million Dollar Exploit on Sonic Blockchain in Suspected Exit Scam

CrediX Finance, a lending protocol built on the Sonic blockchain, suffered a devastating $4.5 million exploit on August 4, 2025, just weeks after launching in July. What initially appeared to be a sophisticated smart contract breach has since evolved into strong suspicions of an exit scam, with the protocol’s team vanishing entirely after promising full recovery of stolen funds. The incident exposes critical vulnerabilities in DeFi governance structures that every crypto investor needs to understand.

The Exploit Mechanics

The attack was methodically planned over several days. Six days before the exploit, the attacker gained full administrative access through CrediX’s ACLManager contract. A potentially compromised admin wallet granted the attacker account several high-impact privileges: POOL_ADMIN_ROLE for complete control over lending pool operations, BRIDGE_ROLE with cross-chain minting capabilities, ASSET_LISTING_ADMIN_ROLE for managing protocol assets, EMERGENCY_ADMIN_ROLE for protocol shutdown powers, and RISK_ADMIN_ROLE for adjusting risk parameters.

With these privileges in hand, the attacker exploited the BRIDGE_ROLE to create unbacked acUSDC and acscUSD tokens directly within the protocol’s lending pools. By calling the mintUnbacked function without providing any underlying USDC collateral, they manufactured 2,500,000 acUSDC and 3,250,000 acscUSD tokens out of thin air. These artificially created tokens were then used as collateral to borrow legitimate assets from the protocol’s pools, draining approximately $4.5 million in total value.

Affected Systems

The stolen funds were spread across multiple assets. The attacker borrowed $2,036,501 in USDC, $1,160,000 in scUSD, $1,343,322 in wS (wrapped Sonic), $55,578 in stS beets staked tokens, and $45,558 in WETH. Because the smart contracts could not distinguish between legitimately backed tokens and the artificially created ones, the collateral was accepted as valid across both of CrediX’s victim lending pools.

Post-attack, the attacker converted multiple borrowed assets into USDC and bridged them to Ethereum via the deBridge protocol. At least 300 ETH has been laundered through Tornado Cash, while the remaining ETH sits across multiple Ethereum addresses. The Sonic blockchain ecosystem, which had been gaining traction with Bitcoin trading around $115,072 and Ethereum near $3,719 at the time, took a reputational hit from the incident.

The Mitigation Strategy

CrediX’s post-attack response followed a deeply concerning pattern. On August 4 and 5, the team acknowledged the breach, took their website offline to prevent additional deposits, and promised that all users’ funds would be recovered within 24 to 48 hours. They claimed to have reached a successful negotiation with the exploiter, who agreed to return funds in exchange for payment from the protocol’s treasury.

By August 8, the CrediX team had completely disappeared. The protocol’s website remained offline, their X (formerly Twitter) account went inactive, and their official Telegram channel was deleted. No recovery plan was ever published, and no funds were returned to users. Stability DAO stepped in to coordinate recovery efforts, announcing plans to file a formal legal report with authorities. The DAO confirmed it had obtained KYC information for two CrediX team members and would include this in their legal submission to cybercrime units.

Lessons Learned

The CrediX Finance incident underscores the critical risks posed by excessive centralization of administrative privileges in DeFi protocols. This was not a case of exploiting a technical flaw in smart contracts but rather a deliberate abuse of governance authority, most likely by an insider or with insider collusion. The well-orchestrated granting of high-impact roles six days before the exploit, the rapid execution of the attack, and the subsequent disappearance of the team all point to a premeditated exit scam.

Key takeaways for DeFi users include: always verify whether a protocol uses multi-signature governance for administrative functions, be cautious of newly launched protocols with concentrated admin privileges, and never deposit more than you can afford to lose into unaudited or recently launched platforms. The gap between a protocol’s launch and its first comprehensive security audit remains one of the most dangerous windows in decentralized finance.

User Action Required

Any users who had funds deposited in CrediX Finance should immediately document their transactions and wallet addresses. Contact Stability DAO’s recovery coordination efforts and file reports with relevant cybercrime authorities. Monitor the attacker’s known Ethereum addresses for any movement of funds. Going forward, exercise extreme caution with any protocol on the Sonic blockchain or elsewhere that lacks transparent governance documentation and multi-signature requirements for administrative roles.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.