WEB3
by BSCN
April 26, 2023
The hack was discovered after the launch of Merlin’s main income farming pools, and security firms and community members immediately pointed it out.
Merlin, a zkSync-based decentralized exchange, suffered a hack on its liquidity pool on April 26 and lost $1.82 million. The incident occurred shortly after the platform's public sale of its token went live.
Blockchain security firm, PeckShield, and community members have reported that the exchange has been exploited, providing the exploiter's addresses.
Peckshield reports that one of the exploiters bridged USDC tokens worth $850k from zkSync to Ethereum. Additionally, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.
Currently, it appears that two addresses perpetrated the exploit. While an address beginning with 0x2744 bridged $850,000 USDC to Ethereum, 0x2744d62 took $844,000 USDC.
Merlin has also confirmed the exploit and requested everyone to revoke wallet/sign permissions connected to the exploited platform.
Meanwhile, eZKalibur, a decentralized exchange and launchpad powered by zkSync, claims to have found the malicious code that caused the funds to disappear. According to eZKalibur, the Merlin contract implementation function includes two lines that allow you to withdraw an unlimited tokens to your address.
Developers of some other projects have confirmed the conclusions of eZKalibur.
Merlin DEX caused quite a stir since it was built on zkSync and even established several partnerships. There are a number of Core Farming Pools on the platform that drew millions of users in as little as a few days. It is currently running its public sale for the MAGE token.
Certik company recently completed a re-audit of Merlin codebase's security on April 24. According to Certik’s website, there were no critical findings in the audit report.
Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit.
"While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."
A number of commentators questioned the quality of the CertiK audit.
Recent events have highlighted the questionable reliability of DeFi audits. The criticisms of CertiK's Terra audit and the hacks that have followed several audits have left the crypto community increasingly wary. Nevertheless, audits are essential in ensuring the safety and security of DeFi projects. However, as the public's trust in audits dwindles, projects must focus on developing high-quality audits and robust designs to regain their trust.
zkSync is an Ether and ERC20 token transfer layer 2 solutions. The L2 protocol positions itself as an Ethereum scaling and privacy engine. The project is based on a zero-knowledge (ZK) rollup architecture that allows for "unlimited" Ethereum scaling.
Learn more about zkSync:
Latest News
September 14, 2024
Weekly Article Recap: 9/09-9/13
September 13, 2024
MicroStrategy Buys Another $1.11B in Bitcoin, Reaches 244,800 BTC Holdings
September 13, 2024
ParaFi Capital Chooses Avalanche for Tokenization of its $1.2B Fund
September 13, 2024
Sky Protocol’s Recent Proposal Could Impact $200M Loans Backed by Wrapped Bitcoin: Report
September 13, 2024
Tether Faces Transparency Issues with its US Dollar Reserves: Report
September 12, 2024
eToro Limits U.S. Crypto Offerings to BTC, ETH, and BCH After $1.5M SEC Settlement
September 12, 2024
Searching for a Telegram Trading Bot? Maestro Might Be the Perfect Solution
September 12, 2024
FTX/Alameda Wallet Unstakes $24M SOL Amid Ongoing Investigations: Report