Over $1.8 million was stolen in a zkSync DEX Merlin attack

Updated: 26 April 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

The crypto industry has recently received reports of a new major hack, and this time, online criminals have targeted zkSync’s DEX Merlin. According to the founder of 0xScope, 0xBobie, the stolen funds were sent to two separate wallets:

0x0b8a3ef6307049aa0ff215720ab1fc885007393d
0x2744d62a1e9ab975f4d77fe52e16206464ea79b7

Stolen funds ($1,823,477) are in
1, 0x0b8a3ef6307049aa0ff215720ab1fc885007393d
2, 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7

The potential hacker bridged all of them to Ethereum. https://t.co/ADDnuhNjVI pic.twitter.com/26zbt9AG9M

— Bobie(?.?) (@0xBobie) April 26, 2023

Meanwhile, Wu Blockchain officials have said that the public sale and the launch of Core Farming Pools were delayed in order for Certik to complete its audit and reassure investors that everything is in order. But, shortly after the audit was completed and Merlin finally started its public sale, the unknown individual targeted the project stealing $1.82 million along the way.

WuBlockchain said that “zkSync DEX Merlin which got Certik Audit was hacked, more than $1.82 million in stolen funds, LP has been drained. Recently, the zkSync project has mixed quality. please check carefully.”

Officials said the Core Farming Pools and public sale will only be launched after Audit is completed by Certik in order to reassure investors. Just after Certik completed the audit and Merlin started the public sale, it was stolen. https://t.co/HF5r8bauap https://t.co/56kWGoptog

— Wu Blockchain (@WuBlockchain) April 26, 2023

Looking into the issue, Certik responded by saying that the initial findings point to a potential private key management problem rather than an exploit as the root cause. The company added that audits could not prevent issues involving private keys, but even so, Certik itself always highlights best practices for the projects.

The investigation of the incident

The company said in a tweet that it is actively investigating the incident, which happened soon after the project successfully passed its audit. The only issue the project found with the DEX is the matter of centralization, highlighted under the section “Decentralization Efforts.” It added that the discovery of any fol play would be handled quickly by notifying the appropriate authorities.

Due to Certik’s close involvement with the project, the company’s founder was interviewed by Chinese media. He expressed pride in the firm’s accomplishments so far, stating that Certik made major strides in blockchain security. It has achieved 70% share of the crypto security market. He further claimed that the company had reduced the cost of Web3 security audits by over 90%. This would likely encourage others to seek audits from the firm moving forward.

Naturally, the community was not too happy with the incident, and many have started calling Merlin a rug on Twitter. Someone even reported an alleged “malicious code” in the project’s code. However, this was explained as a backdoor code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair in addition to the fee in the swap function. The same individual who reported the backdoor — Thanh Nguyen, who founded blockchain security firm, Verichains, concluded that the insertion of a backdoor was intentional rather than a result of centralization, as suggested by Certik’s response.

It appears that the insertion of a backdoor was intentional, rather than a result of centralization as suggested by @Certik's response (https://t.co/ty8yG8yRa1)

— Thanh Nguyen (@redragonvn) April 26, 2023