defirisk.co
rubric v1.7.0

Credix: Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral

An attacker who was granted Admin + Bridge roles on Credix's ACLManager six days before the exploit used the bridge minting function to fabricate $4.5M in phantom collateral, then borrowed all real liquidity from the protocol.

Occurred 2025-08-05 Loss $5M Status closed

Summary #

Credix suffered a Lending / Credit Market on 2025-08-05, resulting in a loss of approximately $5M.

What happened #

An attacker who was granted Admin + Bridge roles on Credix's ACLManager six days before the exploit used the bridge minting function to fabricate $4.5M in phantom collateral, then borrowed all real liquidity from the protocol.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — Credix was new to Sonic chain; deployment recency unconfirmed] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — Credix was new to Sonic chain; deployment recency unconfirmed]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — multisig granted both Admin and Bridge roles to attacker address 6 days prior; this is the root exploitable signal]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Y — ACLManager role grant (BRIDGE + Admin) to attacker address was visible on-chain 6 days before exploit; Tornado Cash-funded setup address...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — multisig granted both Admin and Bridge roles to attacker address 6 days prior; this is the root exploitable signal]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Appears to be an Aave-style lending architecture (ACLManager, POOL_ADMIN, BRIDGE roles are characteristic of Aave v3); fork of Aave v3 archi...]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — Credix was new to Sonic chain; deployment recency unconfirmed]