WEB3
by BSCN
April 26, 2023
The hack was discovered after the launch of Merlin’s main income farming pools, and security firms and community members immediately pointed it out.
Merlin, a zkSync-based decentralized exchange, suffered a hack on its liquidity pool on April 26 and lost $1.82 million. The incident occurred shortly after the platform's public sale of its token went live.
Blockchain security firm, PeckShield, and community members have reported that the exchange has been exploited, providing the exploiter's addresses.
Peckshield reports that one of the exploiters bridged USDC tokens worth $850k from zkSync to Ethereum. Additionally, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.
Currently, it appears that two addresses perpetrated the exploit. While an address beginning with 0x2744 bridged $850,000 USDC to Ethereum, 0x2744d62 took $844,000 USDC.
Merlin has also confirmed the exploit and requested everyone to revoke wallet/sign permissions connected to the exploited platform.
Meanwhile, eZKalibur, a decentralized exchange and launchpad powered by zkSync, claims to have found the malicious code that caused the funds to disappear. According to eZKalibur, the Merlin contract implementation function includes two lines that allow you to withdraw an unlimited tokens to your address.
Developers of some other projects have confirmed the conclusions of eZKalibur.
Merlin DEX caused quite a stir since it was built on zkSync and even established several partnerships. There are a number of Core Farming Pools on the platform that drew millions of users in as little as a few days. It is currently running its public sale for the MAGE token.
Certik company recently completed a re-audit of Merlin codebase's security on April 24. According to Certik’s website, there were no critical findings in the audit report.
Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit.
"While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."
A number of commentators questioned the quality of the CertiK audit.
Recent events have highlighted the questionable reliability of DeFi audits. The criticisms of CertiK's Terra audit and the hacks that have followed several audits have left the crypto community increasingly wary. Nevertheless, audits are essential in ensuring the safety and security of DeFi projects. However, as the public's trust in audits dwindles, projects must focus on developing high-quality audits and robust designs to regain their trust.
zkSync is an Ether and ERC20 token transfer layer 2 solutions. The L2 protocol positions itself as an Ethereum scaling and privacy engine. The project is based on a zero-knowledge (ZK) rollup architecture that allows for "unlimited" Ethereum scaling.
Learn more about zkSync:
Latest News
0h : 32m ago
Binance Labs' New Investment: What is Perena?
3h : 17m ago
Arbitrum Foundation and Ubisoft Team Up to Launch Netflix Series-Inspired Web3 Shooter Game
4h : 47m ago
Brian Quintenz Emerges as Front-Runner for CFTC Chair Role Under Trump
December 11, 2024
Circle and Binance Form Strategic Partnership to Drive Global Adoption of USDC
December 11, 2024
Coinbase Institutional Integrates Chainlink into Project Diamond for Secure Tokenized Asset Management
December 11, 2024
Ripple's RLUSD Stablecoin Receives NYDFS Approval, Launch Imminent
December 10, 2024
Baby Doge Coin Hits All-Time High, Surpasses $1B Market Cap
December 10, 2024
Floki Launches Crypto Debit Card in 31 European Countries with Mastercard Partnership