Over a million dollars-worth of crypto was extracted from zkSync-based decentralized exchange (DEX) Merlin.
Blockchain data shows that around $1.8 million worth of USDC, ETH and other cryptocurrencies was drained from Merlin shortly after the commencement of its presale.
Earlier this month, the Merlin team said that its core farming pools and public sale would only be launched after a blockchain security firm CertiK had completed its audit of the protocol’s smart contract.
The CertiK audit found no critical issues and Merlin launched a three-day public sale offering its MAGE tokens to generate liquidity – something that turned out to be considerably short-lived seeing as the funds were removed from protocol’s liquidity pools less than a day after they went live.
CertiK addressed the exploit in a statement posted to Twitter, saying that the root-cause was likely linked to inadequate private key management rather than an external exploit.
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.
While audits cannot prevent private key issues, we always highlight best practices to projects.
Should any foul…
— CertiK (@CertiK) April 26, 2023
However, several observers of the incident found it hard to believe that the malicious code in Merlin’s smart contracts was missed by the blockchain auditors.
“These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract’s address,” tweeted eZKalibur, another zkSync-based DEX.
“In this case, the feeTo address could potentially call the transferFrom function on the respective tokens to transfer tokens from the contract’s address to itself,” they added.
Essentially, the codebase appears to include a function that enables the owner to transfer all funds from the liquidity pools formed, pointing to the work of an insider.
However, unlike typical rug pulls in the industry where the project erases all trace of its online presence, the Merlin developers tweeted asking users to revoke their wallet permissions as a precautionary measure.
Some users believe that the exploit was premeditated and orchestrated solely by the founder of the project, while the rest of the team was in the dark. At the time of writing, it was unclear which parties were involved.
the team is completely in the dark🥴
and @AtlasIsMe is the man who single-handedly made Merlin a better offering
last screenshot is in the Merlin <> Zksync TG (i did the intro as advisory duty) clearly we can tell it’s an f
— 禅 (@xen) April 26, 2023