Exploited Funds Bridged to Ethereum

Merlin, a zkSync-based decentralized exchange, suffered a hack on its liquidity pool on April 26 and lost $1.82 million. The incident occurred shortly after the platform's public sale of its token went live. 

Blockchain security firm, PeckShield, and community members have reported that the exchange has been exploited, providing the exploiter's addresses. 

Peckshield reports that one of the exploiters bridged USDC tokens worth $850k from zkSync to Ethereum. Additionally, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.

Currently, it appears that two addresses perpetrated the exploit. While an address beginning with 0x2744 bridged $850,000 USDC to Ethereum, 0x2744d62 took $844,000 USDC.

Merlin has also confirmed the exploit and requested everyone to revoke wallet/sign permissions connected to the exploited platform.

Meanwhile, eZKalibur, a decentralized exchange and launchpad powered by zkSync, claims to have found the malicious code that caused the funds to disappear. According to eZKalibur, the Merlin contract implementation function includes two lines that allow you to withdraw an unlimited tokens to your address.

Developers of some other projects have confirmed the conclusions of eZKalibur. 

Merlin DEX caused quite a stir since it was built on zkSync and even established several partnerships. There are a number of Core Farming Pools on the platform that drew millions of users in as little as a few days. It is currently running its public sale for the MAGE token. 

‍

Merlin Exploited Days After Certik Audit

Certik company recently completed a re-audit of Merlin codebase's security on April 24. According to Certik’s website, there were no critical findings in the audit report.

Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit.

"While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."

A number of commentators questioned the quality of the CertiK audit.

Recent events have highlighted the questionable reliability of DeFi audits. The criticisms of CertiK's Terra audit and the hacks that have followed several audits have left the crypto community increasingly wary. Nevertheless, audits are essential in ensuring the safety and security of DeFi projects. However, as the public's trust in audits dwindles, projects must focus on developing high-quality audits and robust designs to regain their trust. 

‍

What is zkSync:

zkSync is an Ether and ERC20 token transfer layer 2 solutions. The L2 protocol positions itself as an Ethereum scaling and privacy engine. The project is based on a zero-knowledge (ZK) rollup architecture that allows for "unlimited" Ethereum scaling.

‍

Learn more about zkSync:

Website | Twitter | Discord | Telegram