On August 4, 2025, CrediX Finance, a lending protocol on the Sonic blockchain, was hit by a $4.5M exploit — just weeks after its July launch. What first appeared to be a security breach soon raised suspicions of an exit scam when the team vanished after promising full recovery of user funds.

How It Happened?

Just six days before the attack, the exploiter gained full administrative control through CrediX’s ACLManager contract, likely using a compromised or insider-owned admin wallet. They granted themselves multiple high-level roles, including complete pool control, cross-chain bridge access, asset listing authority, and emergency shutdown powers.

Using these privileges, the attacker exploited the BRIDGE_ROLE to mint millions in unbacked acUSDC and acscUSD tokens without depositing any collateral. They then used these fake assets as collateral to borrow legitimate funds, draining over $4.5M worth of USDC, scUSD, wS, staked tokens and WETH.

Why It’s Not Just a ‘Hack’?

This wasn’t a typical smart contract vulnerability. The exploit relied on centralized admin privileges, a governance flaw that allowed complete abuse of protocol functions. Evidence suggests insider involvement or collusion.

Post-Attack Fallout

Initially, CrediX promised full restitution within 48 hours, claiming a deal had been reached with the attacker. But within days, the team disappeared, website offline, socials deleted and no recovery plan shared. Stability DAO has since taken charge of recovery efforts, collecting KYC details of two team members and preparing a formal legal case.

Want to Dive Deeper?

We’ve broken down the CrediX exploit step-by-step in our full blog, covering the transactions, role setup, funds flow, and red flags that pointed to an exit scam.
👉 Read the full CrediX Finance exploit analysis here

The Bigger Lesson

CrediX’s downfall highlights the dangers of excessive admin centralization in DeFi. Without checks like multi-signature governance and transparent oversight, even secure smart contracts can be undermined from within.

At QuillAudits, we’ve seen this pattern repeat across the industry. In our H1 2025 Web3 Security Report, insider threats and governance mismanagement continue to be leading causes of multi-million dollar losses, proving that security isn’t just about code but also about who controls the keys.