MerlinDex Rug Pull Examination
On April 25, 2023, 1.8 million USD was stolen from the decentralized exchange, MerlinDex. CertiK (an auditing firm) has received some negative press for this incident, due to low emphasis on the area in which the MerlinDEX code error was found.
Upgrade to premium
CertiK announced that according to their investigation, the incident involving MerlinDex was a rug pull, which involved wallet owner's privileges being exploited. Additionally, CertiK and their partners were able to freeze 160,000 USD of the stolen funds.
CertiK attempted to collaborate with Merlin DEX in recovering the stolen funds, but MerlinDEX refused to cooperate. Despite efforts to work with the rest of the team to mitigate the loss, two core team members declined repeated attempts to verify their identity. As a result, CertiK decided to focus their efforts on continuing to collaborate with law enforcement agencies, and submitted reports and available information on the incident to law enforcement agencies in the United States and the United Kingdom. CertiK have also revealed that they are trying to help the victims, and are considering all options to combat the 2 million USD rug pull. While there have been attempts to create a fund to aid the victims, CertiK has found that it will be much more difficult than they originally anticipated. Therefore, they have decided to continue searching for alternative ways to help the community and fight against rug pulls and their victims.
CertiK warns that smart contract auditors should not be fully responsible for not being able to identify rug pulls, saying: "Code audits are meant to identify vulnerabilities, not to detect potential rug pulls. It's important to realize that many projects, big and small, have issues with centralization and the vast majority of them don't lead to rug pulls."
Merlin defended themselves by saying that the "rug pull" was carried out by their back-end team, in whom they had mistakenly placed great trust.
After this incident, MerlinDEX will have to regain trust very slowly, and may not succeed at all. This would mean the end of the protocol and its developers, if the crypto community discovers their identity. Then, every project with which they might be involved would be labeled as "another attempted fraud."
MerlinDEX had the misfortune of trusting their partners, which ultimately led to their downfall. This serves as a reminder to never underestimate the importance of thorough DYOR, which could reveal the ulterior motives of certain developers.
I appreciate CertiK owning up to their mistake and committing to improving their communication with the community through their audits. Their stance is commendable and their support for the community shows that they are striving to ensure safety in the crypto world, rather than just collecting fees for audits.