WEB3
by BSCN
April 26, 2023
The hack was discovered after the launch of Merlin’s main income farming pools, and security firms and community members immediately pointed it out.
Merlin, a zkSync-based decentralized exchange, suffered a hack on its liquidity pool on April 26 and lost $1.82 million. The incident occurred shortly after the platform's public sale of its token went live.
Blockchain security firm, PeckShield, and community members have reported that the exchange has been exploited, providing the exploiter's addresses.
Peckshield reports that one of the exploiters bridged USDC tokens worth $850k from zkSync to Ethereum. Additionally, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.
Currently, it appears that two addresses perpetrated the exploit. While an address beginning with 0x2744 bridged $850,000 USDC to Ethereum, 0x2744d62 took $844,000 USDC.
Merlin has also confirmed the exploit and requested everyone to revoke wallet/sign permissions connected to the exploited platform.
Meanwhile, eZKalibur, a decentralized exchange and launchpad powered by zkSync, claims to have found the malicious code that caused the funds to disappear. According to eZKalibur, the Merlin contract implementation function includes two lines that allow you to withdraw an unlimited tokens to your address.
Developers of some other projects have confirmed the conclusions of eZKalibur.
Merlin DEX caused quite a stir since it was built on zkSync and even established several partnerships. There are a number of Core Farming Pools on the platform that drew millions of users in as little as a few days. It is currently running its public sale for the MAGE token.
Certik company recently completed a re-audit of Merlin codebase's security on April 24. According to Certik’s website, there were no critical findings in the audit report.
Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit.
"While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."
A number of commentators questioned the quality of the CertiK audit.
Recent events have highlighted the questionable reliability of DeFi audits. The criticisms of CertiK's Terra audit and the hacks that have followed several audits have left the crypto community increasingly wary. Nevertheless, audits are essential in ensuring the safety and security of DeFi projects. However, as the public's trust in audits dwindles, projects must focus on developing high-quality audits and robust designs to regain their trust.
zkSync is an Ether and ERC20 token transfer layer 2 solutions. The L2 protocol positions itself as an Ethereum scaling and privacy engine. The project is based on a zero-knowledge (ZK) rollup architecture that allows for "unlimited" Ethereum scaling.
Learn more about zkSync:
Latest News
0h : 51m ago
OKX Ventures, The Open Platform, and Folius Ventures Launch $10M Telegram Growth Hub
October 29, 2024
Is Bitcoin Set to Soar Even Higher?
October 29, 2024
DWF Labs Dismisses Partner Amid Drink-Spiking Allegations in Hong Kong
October 29, 2024
Visa and FV Bank Debut New Debit and Expense Cards, Bridging Crypto and Fiat Global Payments
October 29, 2024
Bitcoin Surges Past $71,000: What Could be the Possible Reasons?
October 29, 2024
Hong Kong Expands Tax Incentives to Include Virtual Assets, Targeting Institutional Investors
October 28, 2024
Dogecoin Surges Amid Musk and Trump Connections
October 28, 2024
Could Robinhood’s U.S.-Only Election Market Predict Results Better by Excluding Foreign Influence?