zkSync DEX Merlin Exploited for Over $1.8M
Crypto News

zkSync DEX Merlin Exploited for Over $1.8M

3ในการอ่าน
1 year ago

Merlin’s liquidity pool has been drained of $1.8 million not long after blockchain security firm CertiK audited its code. 

zkSync DEX Merlin Exploited for Over $1.8M

สารบัญ

Ethereum-based decentralized exchange (DEX) Merlin, which uses zero-knowledge sync (zkSync), has lost more than $1.8 million in a liquidity pool exploit hours after smart contract security firm CertiK audited its code.
The hack occurred on Wednesday morning during the public sale of Merlin’s native token, MAGE, with the attacker siphoning several assets, including USD Coin (USDC), Ether (ETH), and other illiquid tokens.

Merlin’s LP Drained After Code Audit

A few hours after the exploit, CertiK tweeted that it was investigating the incident and working to understand its impact on the community. The security firm disclosed that its initial findings suggested that a private key management issue may have led to the hack and not an exploit, as widely believed.
CertiK said it pointed out the centralization risk in the recent audit report for Merlin under the “Decentralization Efforts” section. The firm insisted that while audits could not prevent private key issues, they always ensured to highlight better practices for projects.
As claimed in the audit dated April 24, 2023, CertiK recommended that Merlin improve its centralized roles to a decentralized mechanism like multi-signature wallets to enhance security practices. The firm also asked the protocol to implement a timelock feature with a latency of at least 48 hours to avoid a single point of key management failure. CertiK has also promised to work with appropriate authorities if any foul play is discovered.

“We encourage all community members to review this information and all audits fully. As we navigate this challenging situation, we want to assure you that we are taking all necessary measures to protect our community’s interests,” CertiK said.

Malicious Code Detected

Interestingly, eZKalibur, another zkSync DEX and launchpad, revealed it had identified the malicious code that enabled the hackers to drain Merlin’s funds. The DEX said it found two lines of code in the initialize function that gave the feeTo address approval to transfer an unlimited amount of tokens from the contract’s address.

Meanwhile, the Merlin team has asked users to revoke access to the connected site on their wallets as they analyze the cause of the exploit.
0 people liked this article

Related Articles

Crypto News
Austrian Banking Group RLB NÖ-Wien to Launch Crypto Investment Services With Bitpanda
The partnership follows a similar agreement between the crypto exchange and German digital lender N26.
1 year ago
2ในการอ่าน
Crypto News
US approves raising debt limit to $1.5 trillion! What does this mean for Bitcoin traders?
The approval of the debt ceiling increase by the US House of Representatives has affected the price of Bitcoin. But what does this mean?
1 year ago
1ในการอ่าน
Announcements
Complete a short quest and get a free MINT NFT
Complete a short quest and get a free MINT NFT
1 year ago
1ในการอ่าน
Crypto News
Bitcoin soars past $30,000 amid First Republic Bank crisis and Argentina inflation
Bitcoin’s price is experiencing a strong rebound, heading toward $30,000 on April 26 with a 6.5% increase compared to its local lows. The surge appears to be fueled by renewed concerns over t...
1 year ago
4ในการอ่าน
Crypto News
Sparklo’s Presale Set to Move Uptrend Ahead of Conflux (CFX) and Immutable (IMX)
With Conflux (CFX) and Immutable (IMX) currently on a downtrend, investors have their gaze fixed on the new presale on the crypto block, Sparklo. In this article, we will explain why it is a better...
1 year ago
4ในการอ่าน
Crypto News
Bitcoin Easter Egg Quietly Removed From MacOS
A Bitcoin white paper sneakily introduced through every MacOS update since 2018 has been removed from the upcoming operating system update.  Secret “Easter Egg” Removed After facin...
1 year ago
3ในการอ่าน