- Exploiter gained multiple admin permissions
- Bridge roles allow attackers to mint tokens, drain pools.
- Privacy tools like Tornado Cash hide stolen cryptocurrency
The theft of Credix was a jaw-dropping $2.64 million, and it spread panic among the protocol users. The exploit was whistled on by blockchain trackers Cyvers Alerts and SlowMist. Within minutes, social feeds erupted with credible warnings.
Source – X
The official X account of Credix owned up to the leak and stated that teams were on high alert.
Source – X
Security experts at SlowMist stated that “The CrediX Multisig Wallet, six days ago, Admin and Bridge were added as an attacker by ACLManager.” This information was provided by the experts. The ripple effect immediately caused shockwaves. The site went down on Credix to stop further deposits.
The Admin Role Breach That Cracked The Vault
Source – X
The root cause shocked many: admin access blunders. The Bridge role consists of a single address with high privileges that took control and issued unbacked tokens. PeckShield, writing on X, reported the misused administrator account, which was titled, The BRIDGE role is abused to drain pool assets. That single permissions error wiped millions in moments.
SlowMist elaborated in a post on X: “As the Bridge participant, the attacker, in fact, minted collateral tokens to themselves using the Pool.” The money was transferred out of Sonic Network and sent over to Ethereum within a short amount of time, and thus, traceability and recovery are almost impossible.
Multisig Trust Shattered – How Did This Go So Wrong?
Regulators are now scrutinizing Credix, which last year earned praise for securing a $60 million credit line. Six days earlier, the attacker managed to gain both the admin and bridge controller privileges, unnoticed, through the ACLManager, prior to the actual heist. The attacker used the protocols’ own smart contracts to mint tokens and use them as collateral to borrow enormous sums of money and drain the liquidity at will.
PeckShield found this hacked account on X and the permissions that the admin had: POOL_ADMIN, BRIDGE, ASSET_LISTING_ADMIN, EMERGENCY_ADMIN, and RISK_ADMIN were all controlled by a single compromised address.
Blockchain sleuths say Tornado Cash obfuscated the attacker’s tracks. Privacy mixers, as SlowMist and Cyvers realized, continue to render the tracing of illicit funds extremely difficult. This affects both the victims of the protocol and those tasked with investigating it.
Credix assured users that their funds would remain accessible through smart contracts even when the websites were closed down. The protocol mentioned that all funds should be recovered within 24-48 hours, however, many investors are still cautious.
