$1.82 Million Stolen from DEX
Merlin DEX has been exploited for $1.82 million, with CertiK blaming “rogue developers” for the hack.
The zkSync-based exchange only recently launched and received a code audit from smart contract security firm CertiK.
Security experts highlight major centralization issues on the Merlin DEX’s smart contracts, and the lack of multisig wallets makes privileged addresses a juicy target for hackers.
Merlin's Post-Mortem— Merlin (@TheMerlinDEX) April 26, 2023
it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.
In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.
Decentralized exchange (DEX) Merlin was recently drained of around $1.82 million from its liquidity pool due to rogue developers who abused their private key privileges. Smart contract security firm CertiK, which audited the DEX just before its launch, said that “initial findings point to a potential private key management issue rather than an exploit as the root cause”.
1/ CertiK is exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull. Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down.— CertiK (@CertiK) April 26, 2023
Merlin itself accused several members of the back-end team of draining its contracts. The DEX asked users to revoke connected site access on their wallets as a precaution. CertiK is working with the remaining Merlin team and the ZKSync network to compensate affected users.
Merlin, which is built on zkSync, an Ethereum layer-2 scaling solution, launched only a few days ago with the public sale of its MAGE token. According to CertiK, initial investigations indicate that the rogue developers are based in Europe, and the firm is working with law enforcement to track them down.
📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB
CertiK has also highlighted Merlin’s centralization risk in its audit report. Blockchain security experts pointed out “major centralization issues” on the Merlin DEX’s smart contracts, and Merlin has yet to provide an update on the issue.
Audits cannot prevent private key issues, so CertiK highlighted best practices to projects. While multisig wallets are beneficial, having full fund transfer approval on a single account makes the private key a juicy target for blackhat hackers.
Give me your money. yes, Sir!— Yajin (Andy) Zhou (@yajinzhou) April 26, 2023
It's like a bank pre-authorizes that the owner of the bank can arbitrarily withdraw all customers' money.
If you know this, will you still deposit your tokens into the bank?
That's how #Merlin DEX works. pic.twitter.com/7NdyhRpjky
Smart contract audits are helpful for locating vulnerabilities and protecting users’ assets in the protocol, but one aspect that is usually ignored is what if the protocol itself is malicious. Therefore, CertiK encouraged users to look for projects that have performed a voluntary KYC vetting process.
The recent hack of the Merlin DEX raises concerns about centralization issues and proper key management in the crypto industry. Built on Ethereum layer-2 scaling solution zkSync, Merlin was drained of around $1.82 million from its liquidity pool by rogue developers. CertiK, who completed an audit of the DEX before its launch, has urged the hackers to accept a 20% white hat bounty and confirmed that it is “actively investigating” the incident.
Experts have pointed to major centralization issues on Merlin DEX’s smart contracts, including the fact that the address receiving pool fees was allowed to drain all funds from every pool in the protocol. While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls.