Merlin’s Magic Lost As Developers Drain Platform

$1.82 Million Stolen from DEX

  • Merlin DEX has been exploited for $1.82 million, with CertiK blaming “rogue developers” for the hack.

  • The zkSync-based exchange only recently launched and received a code audit from smart contract security firm CertiK.

  • Security experts highlight major centralization issues on the Merlin DEX’s smart contracts, and the lack of multisig wallets makes privileged addresses a juicy target for hackers.

Decentralized exchange (DEX) Merlin was recently drained of around $1.82 million from its liquidity pool due to rogue developers who abused their private key privileges. Smart contract security firm CertiK, which audited the DEX just before its launch, said that “initial findings point to a potential private key management issue rather than an exploit as the root cause”.

Merlin itself accused several members of the back-end team of draining its contracts. The DEX asked users to revoke connected site access on their wallets as a precaution. CertiK is working with the remaining Merlin team and the ZKSync network to compensate affected users.

Merlin, which is built on zkSync, an Ethereum layer-2 scaling solution, launched only a few days ago with the public sale of its MAGE token. According to CertiK, initial investigations indicate that the rogue developers are based in Europe, and the firm is working with law enforcement to track them down.

CertiK has also highlighted Merlin’s centralization risk in its audit report. Blockchain security experts pointed out “major centralization issues” on the Merlin DEX’s smart contracts, and Merlin has yet to provide an update on the issue.

Audits cannot prevent private key issues, so CertiK highlighted best practices to projects. While multisig wallets are beneficial, having full fund transfer approval on a single account makes the private key a juicy target for blackhat hackers.

Smart contract audits are helpful for locating vulnerabilities and protecting users’ assets in the protocol, but one aspect that is usually ignored is what if the protocol itself is malicious. Therefore, CertiK encouraged users to look for projects that have performed a voluntary KYC vetting process.

The recent hack of the Merlin DEX raises concerns about centralization issues and proper key management in the crypto industry. Built on Ethereum layer-2 scaling solution zkSync, Merlin was drained of around $1.82 million from its liquidity pool by rogue developers. CertiK, who completed an audit of the DEX before its launch, has urged the hackers to accept a 20% white hat bounty and confirmed that it is “actively investigating” the incident.

Experts have pointed to major centralization issues on Merlin DEX’s smart contracts, including the fact that the address receiving pool fees was allowed to drain all funds from every pool in the protocol. While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls.


Thanks for reading Solanews , remember to follow our social media channels for more

Leave a Reply