CrediX Finance, a decentralized lending protocol on the Sonic blockchain, was exploited on August 4, 2025, resulting in the loss of approximately $4.5 million in user funds. The attacker exploited a critical governance vulnerability that granted them elevated permissions through the protocol’s multisignature wallet system.
According to reports from blockchain security firm SlowMist, the attacker was added to CrediX’s multisig as a signer six days before the incident occurred. This individual or entity was then granted both “Admin” and “Bridge” roles through the ACLManager — CediX’s core access control module. These privileges allowed the attacker to mint uncollateralized assets and borrow against them, effectively draining the platform’s lending pool.
PeckShield later confirmed the attack vector, identifying the compromised wallet (ending in ) as the one that carried out the exploit. With bridge and admin-level access, the attacker manipulated the token minting process, generated synthetic collateral, and used it to take out a series of flash loans and transfers that removed funds from the protocol. Once extracted, the funds were bridged from Sonic to Ethereum and dispersed across three separate wallets, where they remain as of this writing.
In response to the breach, CrediX took immediate action by disabling its web application and halting all on-chain operations. A statement issued via the protocol’s official X (formerly Twitter) account acknowledged the attack and confirmed that the team was working on recovering funds. They promised users a full reimbursement within 24 to 48 hours, although details of the recovery plan have not been disclosed.
The attacker’s initial withdrawal amounted to roughly $2.64 million — believed to be seeded via Tornado Cash — before escalating the exploit to its full $4.5 million impact. Investigators at CertiK and other security firms are monitoring the attacker wallets and analyzing fund movements in hopes of tracking or freezing the stolen assets.
The incident has renewed scrutiny of the role of multisig wallets in DeFi governance. While multisigs are often seen as a security layer, this attack demonstrates how misconfigured access controls can quickly lead to catastrophic loss. CrediX’s decision to grant sweeping administrative permissions to a single new multisig signer without broader protocol approval has raised questions about its internal governance structure and security protocols.
The CrediX exploit is the latest in a string of DeFi-related attacks in 2025, many of which have targeted governance or administrative layers rather than codebase flaws. As protocols race to launch products and attract liquidity, security audits and decentralized governance implementations have struggled to keep pace.
Analysts warn that governance-based vulnerabilities will continue to be a systemic risk for emerging DeFi platforms. The CrediX attack underscores the need for real-time access monitoring, role-based permission segmentation, and mandatory community-based approval systems for critical changes.
With the broader DeFi ecosystem already under regulatory and public scrutiny, exploits like this threaten to undermine trust in decentralized finance at a critical time for its mainstream adoption.
