DeFi lending protocol CrediX suffered a $4.5 million exploit after attackers gained administrative control of the project’s multisig wallet and abused bridge privileges to mint unbacked collateral tokens.
The breach occurred six days before detection when the compromised admin account was granted multiple high-level roles, including pool admin, bridge controller, and emergency admin permissions.
Blockchain security firms SlowMist and PeckShield identified that the attacker used Tornado Cash-funded addresses to bridge funds to the Sonic network before exploiting the BRIDGE role to mint acUSDC tokens directly.
The hacker then borrowed large amounts against the worthless collateral, draining approximately $2.64 million from the protocol’s lending pools.
The CrediX exploit follows a pattern established by major crypto hacks, including the $234 million WazirX breach in July 2024. Both attacks involved compromised administrative access that bypassed normal security measures through legitimate-appearing transactions from authorized accounts.
Security analysis revealed that the attacker’s address 0xF321***662e held extensive privileges across CrediX’s infrastructure.
The POOL_ADMIN, BRIDGE, ASSET_LISTING_ADMIN, EMERGENCY_ADMIN, and RISK_ADMIN roles provided comprehensive control over protocol operations and asset management.
The bridge role abuse allowed direct minting of collateral tokens without backing assets, creating artificial value that supported massive borrowing positions.
After draining the pools, most stolen funds were bridged back to the Ethereum mainnet with no subsequent movement detected by monitoring systems. CrediX immediately disabled its website to prevent additional user deposits while directing existing users to withdraw funds directly through smart contracts.
The protocol had previously secured a $60 million credit line in 2023, making it a major player in institutional DeFi lending markets.
The attack methodology resembles the WazirX hack, where malicious actors manipulated multisig wallet interfaces to trick authorized signers into approving compromised smart contract upgrades.
Both incidents leveraged open vulnerabilities in known administrative access controls and multisig security implementations.
The CrediX breach adds to crypto’s devastating 2025 security record, with July losses reaching $142 million across 17 major incidents, according to PeckShield data.
The 27.2% increase from June’s $111.6 million reversed a temporary decline in hack-related losses.
Major July exploits included Indian exchange CoinDCX losing $44.2 million through insider involvement and GMX protocol suffering $42 million in re-entrancy attacks.
The CoinDCX incident involved employee Rahul Agarwal, whose compromised laptop provided hackers with system access after receiving malicious files from German contacts.
Physical violence against crypto holders escalated alongside digital attacks, with 32 “wrench attacks” reported globally in 2025.
For example, France experienced nearly one-third of incidents, including kidnapping attempts targeting crypto executives and their family members, with ransom demands reaching €7 million.
Crypto investors also lost over $2.2 billion in 2025’s first half through 344 separate incidents, already exceeding all of 2024’s security losses. Wallet-related breaches accounted for $1.7 billion across 34 attacks, while phishing scams stole $410 million in 132 incidents.
The WazirX exchange remains in legal proceedings following its 2024 hack, with Singapore’s High Court recently allowing creditor revoting on an amended restructuring plan. The court reversal provides hope for affected users who have been unable to access funds for nearly one year.
Recovery efforts across all 2025 incidents have returned $187 million through law enforcement action, white-hat agreements, and exchange cooperation.
However, net losses still total approximately $2.29 billion with an average incident loss of $7.1 million.
For CrediX, the protocol has announced a full refund for all affected users within 24-48 hours, with a post-mortem report expected to be released after restoration.
