- Merlin is an Ethereum-based decentralized exchange (DEX) which uses zero-knowledge sync (zkSync).
- The DEX has lost more than $1.8 million in a liquidity pool hack.
- The hack took place barely hours after smart contract security firm CertiK audited the DEX’s code.
Ethereum-based decentralized exchange (DEX) Merlin woke up to bad news on Wednesday morning after a hacker(s) drained the DEX $1.8 million in a liquidity pool hack. The hack happened during a public sale of Merlin’s native token MAGE.
The hacker(s) stole several cryptocurrency assets including Ethereum (ETH), USD Coin (USDC), and other illiquid tokens.
CertiK had audited Merlin’s code
A few hours after the hack, security firm CertiK tweeted saying that it was investigating the incident to understand its impact on the community. It also said that its initial findings suggest that it could have resulted from an issue with a private key management meaning it was hack and not an exploit as widely thought.
CertiK conducted an audit of Merlin’s code on April 24, 2023, and recommended that Merlin improves its “centralized roles to the decentralized mechanism like multi-signature wallets to enhance security practices.” It also asked Merlin to implement a timelock feature with a latency of at least 48 hours to avoid a single point of key management.
CertiK also promised to collaborate with appropriate authorities in case anything came up.
CertiK and zkSync Era to compensate lost assets
While urging the hacker, who CertiK believes is a rogue developer, to return 80% of the stolen funds, the security firm offered a 20% white hat bounty to the hacker.
In a statement to a renowned media outlet on April 26, CertiK reiterated it is investigating the exit scam and has also enlisted the remaining Merlin team to initiate the compensation plan. The firm said:
“CertiK is exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull. Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down.”
CertiK also noted that private key privileges are “committed to assisting impacted users” notwithstanding that they are outside the scope of a smart contract audit.