ETH

CertiK's Audit Miss: 2 Lines of Code Result in Over $2M Exploit on zkSync

by BSCN

May 4, 2023

CertiK's audit of Merlin, a zkSync protocol, proves ineffective in identifying an exploit that resulted in a loss of over $2 million.

Robust Security Practices Imperative

Leading Web3 auditing firm, CertiK, appear to have made a mishap in conducting an audit of Merlin, a protocol on .

The auditing miss failed to identify an exploit that wiped out over $2 million in public sale, LP, and private raise.

The exploit was made possible by two lines of code that allowed developers to withdraw tokens from the protocol through a feature that was not present in the code of a typical decentralized exchange (DEX).

BSC News reached out to several competing auditing firms like D3ploy who confirmed it will have been exceptionally difficult to miss the aforementioned lines of code. They confirmed detection would have been clear and that it would not have passed audit.

Others such as @AtlasIsMe, have taken to Twitter to point out what they perceive as glaring errors that lead to an inevitable exploit.

@AtlasIsMe also read the audit by CertiK and discovered that the methodology explained in the audit consisted of comparing Camelot vs. Merlin code. Although not an SC dev, AtlasIsMe underlined that even he could spot the differences between the two codes for the same function. AtlasIsMe criticized CertiK for initially awarding Merlin a security score of 90/100 and then downgrading it to 38 right after the rug pull.

Certik were quick to underline that they were already in the process of exploring a community compensation plan. This goes some way in affirming the team's dedication to the broader community.

Robust auditing practices conducted by reputable firms remain a huge factor in ensuring the space is safer and more welcoming to seasoned and fresh users alike. While errors will occur, it is essential that leading security firms continue to tighten screws and ensure effective practices if we are to continue driving the space forward.

What is CertiK:

CertiK is a blockchain security firm that helps projects identify and eliminate security vulnerabilities in blockchains, smart contracts, and Web3 applications using its services, products, and cybersecurity techniques.