Hacker hits CrediX for $200K after $2.64M flash loan exploit on Sonic chain

CrediX, one of the minor lending apps on the Sonic chain, lost up to $200K in liquidity from a $2.6M flash loan. The wallet was funded from Tornado Cash, and the funds were later bridged to Ethereum. CrediX locked its site after unauthorized withdrawals were intercepted by on-chain investigators. A minor lending protocol on Sonic, it lost around $200K in liquidity following a rogue $2.64M flash loan. The attack was immediately intercepted by Cyvers Alerts, noticing that the attacker’s wallet was funded by Tornado Cash. 🚨ALERT🚨Our system has detected multiple suspicious transactions on the #Sonic network involving @CrediX_fi . An address funded by @TornadoCash on the #ETH network bridged funds to the #Sonic network and borrowed approximately 2.64M from @CrediX_fi . Most of these funds have… pic.twitter.com/vK2y21Vhu9 — 🚨 Cyvers Alerts 🚨 (@CyversAlerts) August 4, 2025 Following the exploit, the hacker sent the funds to an Ethereum address, potentially in preparation for mixing or trading. The tactic has drawn comparisons to similar hacks by DPRK attackers , who typically bridge funds to Ethereum for easier transfers and liquidity. CrediX disabled deposits The Sonic chain remains safe, but CrediX has not yet clarified the exact reason for the exploit. The lending startup announced that its deposits are closed to avoid further attacks. website has been disabled to prevent users from depositing. Please use contracts to withdraw — CrediX (@CrediX_fi) August 4, 2025 However, further investigation showed that the flash loan was not available to general users. The exploiter, instead, managed to secure admin access to a multisig wallet, allowing control over the bridge function. Although the initial unauthorized withdrawals were small, the attacker managed to mint up to $4.5M in unauthorized bridged USDC tokens. The attacker minted collateral tokens, allowing the creation of a loan. The loan was outsized compared to the available liquidity, draining the protocol’s pool in essence. According to SlowMist, the attacker prepared six days ago by gaining admin access to one of the lending platform’s multisig wallets. While the protocol did not have sufficient liquidity for a major hack, the ability to mint tokens unbacked by a deposit allowed the hacker much bigger leeway when taking out a loan. CrediX extends series of small-scale attacks CrediX is a relatively minor lending protocol, locking in just 219.64 SOL. The project aims to build up its growth as Solana-based lending is expanding. The attacked version is fully supported on Sonic, offering P2P lending between small-scale users. The relatively small-scale hacks follow the attack on SuperRare , which took $730K by exploiting an infrequently used smart contract . The attack against CrediX shows that even small and relatively obscure protocols are not safe when hackers find a way to drain their remaining liquidity. The CrediX protocol has shown extremely limited activity , with most of the remaining funds locked in USDC tokens. The attack happened at a time when Sonic bridging was generally highly active. The Sonic chain sees around 20K daily active users, sinking to a lower baseline after the hype around its launch. Sonic total value locked has also slid, from around $1B down to $439M . The Sonic chain suffered a similar hack in May, where an oracle mispricing led to a $700K unauthorized outflow from Vicuna Finance. Sonic has also sparked fears of repeating the fate of Fantom, its earlier incarnation. Fantom was hacked for $200M and lost most of its volumes, later reinventing itself as the Sonic L2 chain. Cryptopolitan Academy: Coming Soon – A New Way to Earn Passive Income with DeFi in 2025. Learn More

Source: Cryptopolitan