CrediX Finance Exploit: How Governance Failure Enabled a $4.5M Drain

Privilege Escalation via ACLManager

In late July 2025, six days before the breach, the attacker’s address was granted multiple high-level roles—including BRIDGE_ROLE, POOL_ADMIN_ROLE, ASSET_LISTING_ADMIN_ROLE, RISK_ADMIN_ROLE, and EMERGENCY_ADMIN_ROLE—through the CrediX ACLManager. This effectively gave them full control over minting, collateral listing, and pool parameters without multi-sig or timelock protections.

Using BRIDGE_ROLE, the attacker invoked the mintUnbacked function to generate 2,500,000 acUSDC and 3,250,000 acscUSD out of thin air. These unbacked tokens were indistinguishable from real deposits, enabling the attacker to use them as valid collateral.

Draining Liquidity Pools

With synthetic collateral in place, the attacker borrowed heavily from CrediX’s lending pools, extracting approximately $2.036M USDC, $1.160M scUSD, $1.343M wS, $55.6K stS-Beets, and $45.6K WETH—totaling about $4.5M in value. This was not a traditional smart contract bug or flash loan exploit, but rather the direct abuse of over-privileged admin access.

On-Chain Movements

The attacker bridged stolen assets from Sonic to Ethereum via deBridge, swapping large portions into ETH. Around 300 ETH was sent through Tornado Cash to obfuscate trails, while ~1,000 ETH remained in known attacker wallets. On-chain monitoring tools later confirmed these flows, matching the drained pool values.

Timeline of Events

• July 29, 2025: Attacker address granted multiple admin roles via ACLManager.
• Aug 4, 2025 (~10:24 UTC): Exploit executed—minting unbacked tokens and draining pools.
• Aug 4, later: CrediX pauses deposits, claims a “parley” with exploiter, promises full refund in 48 hours.
• Aug 5–7: Team disappears; social channels and site go offline.
• Aug 8 onward: Community and Stability DAO begin forensic tracing and legal prep.

Governance and Security Failures

No underlying contract flaw was exploited—this was a governance collapse. A single key held sweeping powers with no checks, enabling unilateral minting and borrowing. The incident underscores the dangers of concentrated privileges without multi-sig, timelocks, or separation of duties.

Key Security Lessons

1. Enforce the principle of least privilege—no single account should hold all core roles.
2. Implement multi-sig and timelocks for role assignments and parameter changes.
3. Continuously monitor on-chain governance events, especially admin role grants.
4. Audit not just contract logic, but also access control configurations and upgrade paths.
5. Ensure transparent crisis communication—credibility suffers when promises are not kept.

CrediX Finance’s recent exploit shows how dangerous unchecked admin privileges can be — millions lost in minutes. Don’t wait for a breach to test your security. Reach out to 0xTeam for a thorough smart contract audit and governance risk assessment before it’s too late. Request an Audit