CrediX Finance’s $4.5M Exploit (Suspected Exit Scam)

QuillAudits — Tue, 12 Aug 2025 07:26:24 +0000

On August 4, 2025, CrediX Finance, a lending protocol on the Sonic blockchain, was hit by a $4.5M exploit — just weeks after its July launch. What first appeared to be a security breach soon raised suspicions of an exit scam when the team vanished after promising full recovery of user funds.

How It Happened?

Just six days before the attack, the exploiter gained full administrative control through CrediX’s ACLManager contract, likely using a compromised or insider-owned admin wallet. They granted themselves multiple high-level roles, including complete pool control, cross-chain bridge access, asset listing authority, and emergency shutdown powers.

Using these privileges, the attacker exploited the BRIDGE_ROLE to mint millions in unbacked acUSDC and acscUSD tokens without depositing any collateral. They then used these fake assets as collateral to borrow legitimate funds, draining over $4.5M worth of USDC, scUSD, wS, staked tokens and WETH.

Why It’s Not Just a ‘Hack’?

This wasn’t a typical smart contract vulnerability. The exploit relied on centralized admin privileges, a governance flaw that allowed complete abuse of protocol functions. Evidence suggests insider involvement or collusion.

Post-Attack Fallout

Initially, CrediX promised full restitution within 48 hours, claiming a deal had been reached with the attacker. But within days, the team disappeared, website offline, socials deleted and no recovery plan shared. Stability DAO has since taken charge of recovery efforts, collecting KYC details of two team members and preparing a formal legal case.

Want to Dive Deeper?

We’ve broken down the CrediX exploit step-by-step in our full blog, covering the transactions, role setup, funds flow, and red flags that pointed to an exit scam.
👉 Read the full CrediX Finance exploit analysis here

The Bigger Lesson

CrediX’s downfall highlights the dangers of excessive admin centralization in DeFi. Without checks like multi-signature governance and transparent oversight, even secure smart contracts can be undermined from within.

At QuillAudits, we’ve seen this pattern repeat across the industry. In our H1 2025 Web3 Security Report, insider threats and governance mismanagement continue to be leading causes of multi-million dollar losses, proving that security isn’t just about code but also about who controls the keys.

Arcadia Finance Lost $3.5M Due to Lack of Input Validation

QuillAudits — Thu, 17 Jul 2025 11:25:41 +0000

Arcadia Finance, known for its automated liquidity management protocol, faced a massive exploit on July 15, 2025. The protocol, deployed on the Base chain, lost around $3.5 million after a critical input validation flaw was exploited by an attacker.

What Went Wrong?

At the heart of the exploit was the rebalance function in Arcadia’s smart contract. This function allowed users to manage their liquidity positions flexibly. However, it lacked strict validation checks for certain inputs, especially the swapData parameter, opening a door for attackers.

The attack began with a large flash loan of 5,623 WETH and 9,968 cbBTC. Using this, the attacker cleverly set themselves as the asset manager by invoking the setAssetManager function, a feature available for normal users. Once in control, they could trigger sensitive functions like flashAction().

The attacker then minted an LP NFT with a minimal amount of assets and even repaid a debt on behalf of the victim contract to bypass the system’s health check mechanism. By doing this, they ensured their malicious actions wouldn’t immediately revert.

The Exploit Flow

With the groundwork set, the attacker called the rebalance function on the RebalancerSpot contract. This function accepted a maliciously crafted swapData payload. Through a series of function calls enabled by this data, the attacker executed a flash action that allowed them to withdraw various NFT LP positions tied to Arcadia.

Once withdrawn, they drained these positions by removing liquidity — walking away with substantial profits.

The Root Cause

The real issue lay in the unchecked input of the rebalance function and the chained internal function calls that followed.

The malicious swapData wasn’t validated.
This led to internal calls like _swap() and executeAction() trusting and executing harmful logic.
The attacker used this loophole to extract LP positions and empty them.

In simple terms, Arcadia’s contracts were too trusting of user-supplied data, an oversight that cost them millions.

Aftermath

The attacker funded their operations via Tornado Cash and later bridged 1,203 ETH from Base to Ethereum using Across Protocol. Despite the Arcadia team reaching out, recovery efforts showed no success.

Want to know how this hack unfolded in detail?

We’ve broken down the full attack flow, fund movement, and key security lessons in our detailed analysis :
👉 Read the Full Analysis on Arcadia Finance Exploit

Crypto Hacks in 2025: A Growing Concern

The Arcadia exploit is just one among many high-profile attacks that shook the Web3 space in 2025. In fact, over $2.3 billion was lost to various exploits in the first half of the year alone. Access control flaws, social engineering and unchecked input validations topped the list of attack vectors.

If you want a deeper dive into these trends and key security insights, check out our 2025 H1 Crypto Exploits & Security Breaches Report.

Don’t Let Input Validation Flaws Drain Your Protocol!

Arcadia’s $3.5M exploit highlights a classic yet dangerous oversight, failing to validate critical input data. At QuillAudits, we help projects spot such vulnerabilities before attackers do, with in-depth audits and a multi-layered review framework.

Forem: QuillAudits