- Merlin is an Ethereum-based decentralized exchange (DEX) which uses zero-knowledge sync (zkSync).
- The DEX has lost more than $1.8 million in a liquidity pool hack.
- The hack took place barely hours after smart contract security firm CertiK audited the DEX’s code.
Ethereum-based decentralized exchange (DEX) Merlin recently experienced an unfortunate event when a hacker(s) stole over $1.8 million from the DEX in a liquidity pool hack. The attack took place during a public sale of Merlin’s native token MAGE.
The hacker(s) were able to get away with a number of different crypto assets, including Ethereum (ETH), USD Coin (USDC) and other illiquid tokens.
CertiK Investigates Incident
Hours after the hack was discovered, security firm CertiK tweeted that it was looking into the incident to determine its impact on the community. Early findings suggested the hack was due to an issue with a private key management, as opposed to an exploit as was originally thought.
CertiK had audited the code of Merlin on 24 April, 2023. The firm had asked Merlin to implement a few features, such as a timelock with a latency of at least 48 hours, to enhance security and to move away from any centralized roles.
The security firm also promised to work with the relevant authorities in case any further developments arose.
Compensation Plan from CertiK and zkSync Era
CertiK urged the hacker, who they believe is a rogue developer, to return 80% of the stolen funds and offered a 20% white hat bounty to the hacker.
In a statement released to the press on April 26, CertiK mentioned that it is working on a compensation plan to cover the lost funds and that they had brought in the remaining Merlin team to help. The firm stated:
“CertiK is exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull. Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down.”
CertiK also added that they are willing to assist users affected by the hack even though it falls outside the scope of a smart contract audit.