CrediX DeFi Protocol Exploiter Agrees to Return $4.5 Million in Stolen Funds
In a surprising turn of events, the hacker behind the $4.5 million CrediX DeFi protocol exploit has agreed to return the stolen funds within 24 to 48 hours. This comes after successful negotiations with the protocol team, who offered the exploiter compensation from the CrediX treasury in exchange for the return of the funds. But what’s even more interesting is that affected users will receive airdrops of their asset shares, essentially making them whole again.
The Exploit: A Multisig Wallet Compromise
So, how did this whole ordeal go down? It all started when attackers gained administrative control of CrediX’s multisig wallet and exploited bridge privileges to mint unbacked collateral tokens on the Sonic network. The hacker used Tornado Cash-funded addresses to abuse BRIDGE role permissions, directly minting acUSDC tokens before borrowing against worthless collateral to drain approximately $2.64 million from lending pools. It was a clever, albeit malicious, move that caught the protocol team off guard.
A Growing Trend: Negotiating with Exploiters
This isn’t the first time we’ve seen a DeFi protocol negotiate with an exploiter to recover stolen funds. In fact, CrediX is just the latest in a growing list of protocols that have successfully recovered funds through negotiations. GMX, for example, recovered a whopping $40.5 million in July after offering a $5 million bounty to the attacker. And it’s not just the big players – smaller protocols like ZKsync Association and KiloEx have also had success with this approach.
White-Hat Negotiations: A New Recovery Strategy
So, what’s behind this trend of negotiating with exploiters? According to security experts, most hackers realize that keeping stolen cryptocurrency creates more problems than benefits, thanks to enhanced blockchain forensics and legal risks. As a result, they’re more willing to return funds in exchange for amnesty or a bounty. But while this approach may be effective in some cases, it’s not a foolproof solution. As Immunefi CEO Mitchell Amador notes, “relying on a hacker’s change of heart is not a viable strategy for protocol security.” Instead, protocols need to focus on prevention, rather than reaction.
The Risks of Reactive Security Measures
Amador warns that reactive security measures, like post-hack bug bounties, can actually create more problems than they solve. By launching a bug bounty only after a hack, protocols may be signaling weakness or a lack of preparedness, which can attract more malicious actors. Furthermore, underincentivized researchers may be more likely to exploit vulnerabilities rather than report them. It’s a classic case of “too little, too late” – by the time a protocol realizes its security flaws, it may already be too late.
The Importance of Prevention
So, what’s the solution? According to Amador, prevention is key. Protocols need to invest in unified security stacks that integrate AI-powered agents for constant vulnerability scanning and immediate threat detection. This approach can help identify and mitigate potential security risks before they become major incidents. It’s a proactive, rather than reactive, approach that can save protocols from devastating losses and reputational damage.
As the crypto space continues to evolve, it’s clear that security will remain a top priority. With net losses totaling approximately $2.29 billion in the first half of 2025, it’s more important than ever for protocols to take a proactive approach to security. By investing in prevention and leveraging the latest technologies, we can create a safer, more secure crypto ecosystem for all.
