zkSync DEX Merlin "hacked" after Certik audit
MerlinDEX, a decentralized exchange running on the Ethereum blockchain that utilizes zkSync synchronization, lost over 1.8 million USD in liquidity from its fund shortly after its code was audited by CertiK. The hack occurred during the public sale of Merlin's native token, MAGE, when the attacker drained several assets, including USD, ETH, and other illiquid tokens.
Upgrade to premium
On April 24, 2023, CertiK re-audited the smart contracts of MerlinDEX. According to their findings, no critical vulnerabilities were discovered that could lead to a possible platform hack.
Meanwhile, another DEX built on zkSync, eZkalibur, found malicious code, in MerlinDEX, in the form of two lines that allowed for the transfer of any amount of tokens from the contract address to another address.
CertiK tweeted a few hours after the incident that they are investigating the situation and trying to understand the impact it may have on the community. According to their initial findings, the hack may be due to a key management issue, rather than exploitation, as is usually assumed.
CertiK explained that in Merlin's recent audit report, in the "Decentralization Effort" section, they warned of the risk of centralization. The company emphasized that although audits cannot prevent key management issues, they always emphasize better project practices.
In the audit from April 24, 2023, CertiK recommended that Merlin improve its centralized roles to decentralized mechanisms, such as multi-signature wallets to improve security practices. The company also demanded that the protocol implement a time-lock function with a latency of at least 48 hours to prevent a single point of failure in key management. CertiK also promised to cooperate with relevant authorities if any unethical behavior is detected.
PeckShield Security Company has since reported that thanks to its community, the funds that were stolen from MerlinDEX have been traced. The "hacker's" addresses have been found, with the first containing 850,000 USDC that were transferred to the Ethereum blockchain. The second address contains 844,000 USDC.
Additionally, a further 31,000 USDC which was transferred to Binance (Centralized Exchange - CEX) and another lump sum of 133,800 USDC, which was transferred to MEXC (CEX), have been traced.
MerlinDEX development team asked users on their Twitter to disconnect their wallets from their platform as a precaution.
After this incident on MerlinDEX, it will be difficult to restore its reputation. If it is proven to be an intentional rug pull, it could mean the end for the protocol, as the loss of user trust would likely be insurmountable. However, if the MerlinDEX developers can prove that they had nothing to do with this hack, it is still possible to save the platform and regain user trust.
The key to restoring trust will primarily be in fixing the code. Developers should make every effort to repair vulnerabilities as soon as possible, thereby quickly ensuring the safety of users. This should be accompanied by further code audits by independent and reputable auditing firms, which would provide users with the assurance that developers are really working to fix issues and ensure the safety of their funds.
Another step towards rebuilding trust should be providing transparency to users by regularly informing them about what is happening behind the scenes. This would create a greater strength of community, as users typically appreciate being kept in the loop.
I cannot understand how Certik could have overlooked such a serious error that was pointed out by eZkalibur. This incident raises questions about the reliability of Certik and whether more errors were overlooked in previous audits.
Previously, I considered Certik to be one of the best auditing firms, and when I saw that they were auditing a project in which I wanted to invest, I had confidence that the code was sound. After today, though, I can no longer have such confidence, and audits by Certik no longer hold the same value for me as they did before.