Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Blockchain security company CertiK is introducing a compensation initiative to address the $2 million lost during the public sale of the decentralized exchange Merlin’s MAGE token.
In a communication to Cointelegraph on April 26, CertiK confirmed it is probing the exit scam and has engaged the remaining Merlin team to commence the compensation initiative. It stated:
“Preliminary investigations suggest that the fraudulent developers are located in Europe, and CertiK will work with law enforcement agencies to locate them if direct negotiations do not succeed.”
The blockchain security firm is requesting that the rogue developer return 80% of the misappropriated funds, offering to concede 20% as a white hat reward.
The company also emphasized that private key privileges are “dedicated to assisting affected users” even though they fall outside the parameters of a smart contract audit.
On April 26, Merlin experienced a loss of approximately $850,000 in USD Coin (USDC) along with some other relatively illiquid tokens during its three-day MAGE token public sale, which did not have a hard cap. Blockchain data indicates that an exploiter with access to the liquidity pool was able to easily extract the funds.
We conducted an analysis of Merlin smart contracts and identified the malicious code responsible for the fund drain.
These two lines of code in the initialize function effectively grant approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
CertiK, which performed an audit of Merlin’s code, responded with its initial observations indicating a “possible private key management issue.”
Related Posts
We’re actively looking into the @TheMerlinDEX incident. Initial findings suggest a potential private key management issue rather than an exploit as the underlying cause.
While audits cannot avert private key issues, we consistently emphasize best practices to projects.
Should any foul…— CertiK (@CertiK) April 26, 2023
Crypto Twitter raised questions regarding the CertiK audit, suggesting the possibility of a rug pull.
Verichains founder Thanh Nguyen hinted at a “backdoor” in Merlin’s code, stating it poses a “clear security risk as there is no use case that necessitates its approval.”
3/4 However, in the Merlin code, there is a “backdoor” code (L87-88) that permits the feeTo of MerlinFactory to transfer all assets in the pair, in addition to the fee in the swap function. This backdoor is a clear security risk as there is no use case that requires its approval. pic.twitter.com/HAnwZT27ZS
— Thanh Nguyen (@redragonvn) April 26, 2023
“While audits can detect potential risks and vulnerabilities, they cannot prevent malicious actions by rogue developers such as rug pulls,” CertiK stated in a communication to Cointelegraph. “We advise users to seek projects with a ‘KYC Badge’ as an additional layer of security, indicating that the project has voluntarily undergone a KYC vetting process.”
Related: Ordinals Finance has conducted a $1M rug pull: CertiK
The firm clarified that doing so can aid in reducing and mitigating the risk of insider threats like rug pulls.
CertiK stated it will continue to provide updates regarding its compensation initiative and ongoing investigation.
This article was updated to indicate that only CertiK had proposed a compensation plan for the Merlin DEX exploit.
