Developers of the zkSync Era-based decentralized exchange Merlin disclosed details of the ~$2 million exploit and said they planned to reimburse user losses.
Merlin’s Post-Mortem
it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.
In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.
— Merlin (@TheMerlinDEX) April 26, 2023
On 26 April, the main liquidity pools of the newly launched platform were emptied.
The team disclosed the exploit and urged users to revoke approvals for all smart contracts. Merlin did not disclose further details.
Users noted that on 24 April, the day before the DEX launch, CertiK completed a code re-audit of the platform. Several researchers found a vulnerability in the software that could potentially allow all funds to be drained from the pools. Some users suspected the project of a rug-pull.
Merlin said that user funds were drained by several members of the technical team.
“They conducted several on-chain transactions to drain the pools, execute sales and manipulate our frontend contracts. This was done through a function that allowed calls to be made for all pairs on the platform,” the exchange’s representatives said.
There was a “clear overreach in the scope of control” of this option over all pools by the CertiK auditors. However, Merlin also acknowledged that the backend developers had access to the code and could make changes.
We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.
— Merlin (@TheMerlinDEX) April 26, 2023
The exchange published the GitHub accounts of programmers suspected of fraud. It asked Serbian authorities to assist with the investigation, where the group is believed to reside.
Back-End Technical Team Committers:https://t.co/mArANNfOsfhttps://t.co/JXG4E8wpnNhttps://t.co/iCc761ad8ihttps://t.co/m4JFK9bSl3
— Merlin (@TheMerlinDEX) April 26, 2023
Merlin representatives noted that work on a compensation plan is being carried out in conjunction with CertiK. The audit firm confirmed its possible participation in the payout.
“We urge the rogue developers to accept a 20% bounty as white hat. Although we raised private-key privilege issues in the audit, we want to help victims and are determined to track down those behind this scam,” CertiK said.
2/ We urge the rogue developers to accept a 20% white hat bounty. Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull. More compensation details will be released.
— CertiK (@CertiK) April 26, 2023
In April, the attacker who stole around $9 million from the SafeMoon liquidity pool on BNB Chain agreed to return 80% of the funds in exchange for dropping charges.