WEB3
by BSCN
April 26, 2023
The hack was discovered after the launch of Merlin’s main income farming pools, and security firms and community members immediately pointed it out.
Merlin, a zkSync-based decentralized exchange, suffered a hack on its liquidity pool on April 26 and lost $1.82 million. The incident occurred shortly after the platform's public sale of its token went live.
Blockchain security firm, PeckShield, and community members have reported that the exchange has been exploited, providing the exploiter's addresses.
Peckshield reports that one of the exploiters bridged USDC tokens worth $850k from zkSync to Ethereum. Additionally, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.
Currently, it appears that two addresses perpetrated the exploit. While an address beginning with 0x2744 bridged $850,000 USDC to Ethereum, 0x2744d62 took $844,000 USDC.
Merlin has also confirmed the exploit and requested everyone to revoke wallet/sign permissions connected to the exploited platform.
Meanwhile, eZKalibur, a decentralized exchange and launchpad powered by zkSync, claims to have found the malicious code that caused the funds to disappear. According to eZKalibur, the Merlin contract implementation function includes two lines that allow you to withdraw an unlimited tokens to your address.
Developers of some other projects have confirmed the conclusions of eZKalibur.
Merlin DEX caused quite a stir since it was built on zkSync and even established several partnerships. There are a number of Core Farming Pools on the platform that drew millions of users in as little as a few days. It is currently running its public sale for the MAGE token.
Certik company recently completed a re-audit of Merlin codebase's security on April 24. According to Certik’s website, there were no critical findings in the audit report.
Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit.
"While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."
A number of commentators questioned the quality of the CertiK audit.
Recent events have highlighted the questionable reliability of DeFi audits. The criticisms of CertiK's Terra audit and the hacks that have followed several audits have left the crypto community increasingly wary. Nevertheless, audits are essential in ensuring the safety and security of DeFi projects. However, as the public's trust in audits dwindles, projects must focus on developing high-quality audits and robust designs to regain their trust.
zkSync is an Ether and ERC20 token transfer layer 2 solutions. The L2 protocol positions itself as an Ethereum scaling and privacy engine. The project is based on a zero-knowledge (ZK) rollup architecture that allows for "unlimited" Ethereum scaling.
Learn more about zkSync:
Latest News
1h : 6m ago
VanEck Predicts Strategic Bitcoin Reserve Could Offset $42T of U.S. Debt by 2049
2h : 21m ago
Trump Appoints Former GOP Candidate Bo Hines to Lead Crypto Council
December 21, 2024
Weekly Article Recap: 12/16-12/20
December 20, 2024
Injective and Sonic SVM Partners to Launch the First Cross-Chain AI Agent Platform
December 20, 2024
UK Judge Sentences Craig Wright to One Year in Prison for Contempt of Court
December 20, 2024
SEC Approves Bitcoin and Ethereum ETFs from Hashdex and Franklin Templeton
December 18, 2024
Ripple Dollar (RLUSD) Launches with Full Transparency and Regulatory Backing
December 18, 2024
Bitwise Launches Solana Staking ETP in Europe: What to Know