- zkSync project Merlin DEX has suffered a $1.82 million hack, draining its liquidity pool.
- The attack comes just a few days after the CertiK audit that preceded the platform's launch.
- The attacker transferred the loot to Ethereum.
- CertiK has defended itself, saying the audit job was well done, but its audit quality is concerning.
zkSync decentralized exchange (DEX) Merlin was hacked shortly after an audit by smart contract auditor CertiK. Reportedly, the threat actor drained the liquidity pool (LP) and made away with $1.82 million. As the DEX continues to analyze the attack, the team has cautioned everyone linked to its site to revoke their wallets and change the status of their sign permission.
Developer announcement
— Merlin (@TheMerlinDEX) April 26, 2023
Can everyone revoke connected site access on your wallets/sign permission https://t.co/YRxH7IUU4T
We are analysing the exploit of our protocol and would stress that everyone carries out this step as a precaution.
More updates will be provided
Blockchain security firm PeckShield has revealed that the attacker is already sending the loot to exchanges, citing $133,800 USDC sent to MEXC Global and $31,000 USDC to Binance.
#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited. One of the exploiters 0x2744...9b7 has grabbed ~850K $USDC and bridged them to #Ethereum https://t.co/hfgjJJY7Ml pic.twitter.com/07uSGMAt7e
— PeckShieldAlert (@PeckShieldAlert) April 26, 2023
PeckShield has also provided the hacker's addresses, indicating that two addresses were responsible for the exploit. Reportedly, the first address, which starts with 0x2744, took $850,000 USDC before bridging it to Ethereum. The other address, starting with 0x2744d62, looted $844,000 USDC.
@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?@peckshield
— Qaheer (@wasgiventhatday) April 26, 2023
The fact that the attacker drained the liquidity pools indicates that they somehow engineered the LP's smart contracts.
Considering CertiK also audited Terra, the attack has raised concerns over the validity of the firm's audits, despite it being one of the biggest brands in the blockchain security space. Other CertiK clients that suffered hacks post-audit include PancakeBunny, Uranium Finance, and Meerkat Finance. This has cast doubt on the quality of CertiK audits.
Two views have already questioned the Certik audit, suggesting that Merlin could be a rug. Another said:
In the Merlin code, there is a "backdoor" code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, in addition to the fee in the swap function.
CertiK defends itself and says the audit job was well done
According to CertiK, an initial probe into the attack shows that the root cause was a potential private key management issue, not an exploit.
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.
— CertiK (@CertiK) April 26, 2023
While audits cannot prevent private key issues, we always highlight best practices to projects.
Should any foul…
Notably, the blockchain security firm says it had highlighted the "centralization risk" in its audit under the "Decentralization Efforts" section, adding, "Audits cannot prevent private key issues. The auditor has also committed to sharing relevant information with the authorities if there is suspicion of foul play.
In an April 26 interview with Chinese media, Certik founder and professor at Columbia University, Gu Ronghui, proudly said:
We (CertiK) have turned blockchain security into a track almost by ourselves, which has attracted a lot of attention.
Gu also boasted about CertiK's 70% share of the crypto security market, saying that the auditing firm had reduced the cost of Web3 security audits by more than 90%.
Notwithstanding, the crypto community will be doubly cautious about the Merlin platform, whose main token is MAGE, currently in the public sale phase. Among the main offerings of the DEX is Core Farming Pools, which according to officials, would only be launched after the audit is completed to reassure investors.
Notably, the hack happened on the same day this interview was published. CertiK will remain under the microscope.
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.
If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.
FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.
The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.
Recommended Content
Editors’ Picks
Dogecoin Price Forecast: Bulls deploy $355M in DOGE longs amid Gensler exit confirmation
Dogecoin price crossed $0.40 on Friday, after a weeklong consolidation that saw DOGE tumble 13% from last week’s peak. Derivative market reports link the DOGE rally to Gary Gensler’s imminent exit.
Crypto Today: XRP gains 10%, Cardano, XRP, and DOGE price rallies, delay Bitcoin’s $100K breakout
The global cryptocurrency sector pulled $230 million capital inflows on Friday, as markets reacted positively to news of SEC Chair Gary Gensler’s imminent exit.
Cardano Price Forecast: ADA could rally by another 30% as on-chain data signals bullish sentiment
Cardano (ADA) surged 24% to $0.98 on Friday following rising weekly active addresses, increased open interest and spot buying pressure.
Shiba Inu holders withdraw 1.67 trillion SHIB tokens from exchange
Shiba Inu trades slightly higher, around $0.000024, on Thursday after declining more than 5% the previous week. SHIB’s on-chain metrics project a bullish outlook as holders accumulate recent dips, and dormant wallets are on the move, all pointing to a recovery in the cards.
Bitcoin: Rally expected to continue as BTC nears $100K
Bitcoin (BTC) reached a new all-time high of $99,419, just inches away from the $100K milestone and has rallied over 9% so far this week. This bullish momentum was supported by the rising Bitcoin spot Exchange Traded Funds (ETF), which accounted for over $2.8 billion inflow until Thursday. BlackRock and Grayscale’s recent launch of the Bitcoin ETF options also fueled the rally this week.
Best Forex Brokers with Low Spreads
VERIFIED Low spreads are crucial for reducing trading costs. Explore top Forex brokers offering competitive spreads and high leverage. Compare options for EUR/USD, GBP/USD, USD/JPY, and Gold.