Merlin’s liquidity pool has been drained of $1.8 million not long after blockchain security firm CertiK audited its code.
Ethereum-based decentralized exchange (DEX) Merlin, which uses zero-knowledge sync (zkSync), has lost more than $1.8 million in a liquidity pool exploit hours after smart contract security firm CertiK audited its code.
Merlin’s LP Drained After Code Audit
CertiK said it pointed out the centralization risk in the recent audit report for Merlin under the “Decentralization Efforts” section. The firm insisted that while audits could not prevent private key issues, they always ensured to highlight better practices for projects.
“We encourage all community members to review this information and all audits fully. As we navigate this challenging situation, we want to assure you that we are taking all necessary measures to protect our community’s interests,” CertiK said.
Malicious Code Detected
We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB— eZKalibur ∎ (@zkaliburDEX) April 26, 2023