04.08.2025 17:16

A devastating security breach has crippled CrediX_fi, a decentralized exchange, resulting in the theft of approximately $4.5 million. Attackers exploited a compromised administrator account, specifically one ending in "662e," wielding extensive privileges within the protocol's architecture. This compromised account granted access to crucial roles including POOL_ADMIN, BRIDGE, ASSET_LISTING_ADMIN, EMERGENCY_ADMIN, and RISK_ADMIN.

The attack leveraged the BRIDGE role to facilitate the theft. By exploiting a vulnerability allowing the minting of unbacked acUSDC tokens—a synthetic USDC asset exclusive to CrediX's Sonic USDC market—the perpetrators created and drained substantial assets from various liquidity pools. This cunning maneuver effectively involved generating digital currency without any underlying collateral, highlighting a significant flaw in the protocol's design. Information regarding this exploit comes from Peckshield.

In the wake of this significant security failure, CrediX_fi has taken the drastic measure of disabling its website. Users are urged to withdraw funds exclusively through smart contracts, a stark indication of the severity of the situation and the absence of robust backup mechanisms within the protocol to contain the breach. This lack of infrastructure leaves investors and users facing considerable uncertainty and requiring significant damage control efforts.

The compromise extended beyond the financial losses. Major administrative roles were compromised, severely impacting the protocol's integrity. A troubling lack of transparency from developers regarding remediation audits or a recovery plan further exacerbates the crisis. Consequently, investors face potentially long-term consequences, including the likely depletion of CrediX pool liquidity. Moreover, the acUSDC token, along with any associated governance or utility tokens, are at risk of complete collapse due to the severely damaged trust in the project.

Even if the developers regain control, the incident has severely undermined confidence in the smart contracts' integrity and the effectiveness of role management. The existence of an account with god-like powers across various systems transformed the entire ecosystem into a single point of failure, a significant vulnerability that should serve as a warning. Until comprehensive transparency, on-chain forensic analysis, and independent third-party audits are made publicly available, investors are strongly advised to avoid any further involvement with CrediX_fi. Information for this analysis was gathered from internet sources.