zkSync DEX Merlin Suffers Exploitation Exceeding $1.8M Following Code Review

56

Merlin, a decentralized exchange (DEX) built on Ethereum and utilizing zero-knowledge sync (zkSync), has experienced a loss exceeding $1.8 million due to a liquidity pool exploit just hours after its code was audited by the smart contract security firm CertiK.

The breach took place on Wednesday morning during the public sale of Merlin’s native token, MAGE, with the attacker extracting various assets, including USD Coin (), Ether (), and other less liquid tokens.

Merlin’s LP Compromised Following Code Audit

Shortly after the exploit, CertiK announced via Twitter that it was investigating the situation and assessing its implications for the community. The security firm revealed that its preliminary findings indicated a potential private key management issue may have contributed to the breach, rather than an exploit as was commonly assumed.

CertiK noted that it had highlighted the centralization risk in its recent audit report for Merlin in the “Decentralization Efforts” section. The firm emphasized that while audits cannot prevent private key problems, they consistently strive to promote improved practices for projects.

According to the audit dated April 24, 2023, CertiK advised Merlin to transition its centralized roles to a decentralized framework, such as multi-signature wallets, to bolster security measures. The firm also recommended that the protocol incorporate a timelock feature with a minimum delay of 48 hours to mitigate the risk of a single point of key management failure. CertiK has committed to collaborating with relevant authorities should any wrongdoing be uncovered.

ADVERTISEMENT

“We urge all community members to thoroughly review this information and all audits. As we navigate this difficult situation, we want to reassure you that we are taking all necessary steps to safeguard our community’s interests,” CertiK stated.

Malicious Code Identified

Notably, eZKalibur, another zkSync DEX and launchpad, disclosed that it had detected the malicious code that allowed the hackers to deplete Merlin’s funds. The DEX reported finding two lines of code in the initialize function that granted the feeTo address permission to transfer an unlimited quantity of tokens from the contract’s address.

In the meantime, the Merlin team has urged users to revoke access to the connected site on their wallets while they investigate the cause of the exploit.

SPECIAL OFFER (Sponsored) Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO50 code to receive up to $7,000 on your deposits.