Merlin on zkSync Era hacked for $1.82 million after CertiK audit

Decentralised exchange Merlin, built on layer-2 solution zkSync Era, lost assets worth about $1.82 million in what appears to be an exploit, shortly after CertiK’s audit.

? URGENT: @TheMerlinDEX has been HACKED! ?

Over $1.82M stolen from investors as LP drains. If you’ve interacted with their contracts, revoke your wallet IMMEDIATELY! ⚠️

Revoke here ? https://t.co/SdEInOVqZp

Help warn others — RETWEET this vital info! ? pic.twitter.com/1UB40UCDxl

— Documenting zkSync ? (@DocumentzkSync) April 26, 2023

The exchange’s developers said they were investigating a possible breach and urged users to revoke approvals for all smart contracts. They promised to provide further information later.

Developer announcement ?

Can everyone revoke connected site access on your wallets/sign permission https://t.co/YRxH7IUU4T

We are analysing the exploit of our protocol and would stress that everyone carries out this step as a precaution.

More updates will be provided

— Merlin (@TheMerlinDEX) April 26, 2023

The incident occurred immediately after the platform’s main yield-farming pools were launched. On April 24, CertiK completed a renewed security audit of Merlin’s codebase.

Experts from CertiK stated that the preliminary investigation pointed to a potential private-key management issue as the main cause of the unauthorized withdrawal, rather than an exploit.

We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.

While audits cannot prevent private key issues, we always highlight best practices to projects.

Should any foul…

— CertiK (@CertiK) April 26, 2023

«While audits cannot prevent key-management problems, we always highlight best practices for projects. In the event of any misconduct, we will work with the relevant authorities and share information,» CertiK said.

The DEX team eZKalibur reportedly identified malicious code in Merlin’s software that enabled the theft of assets. The exchanges use smart-contract code similar to that of another decentralized platform on the zkSync Era network — Camelot.

? We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.

These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB

— eZKalibur ∎ (@zkaliburDEX) April 26, 2023

Unlike rivals, Merlin’s contract implementation includes two lines that enable the withdrawal of an unlimited quantity of tokens to the deployer’s own address.

The findings from eZKalibur were echoed by developers of other projects. Users suspected Merlin’s team of carrying out a rug-pull rug-pull.

btw Merlin is a 100% rug,
It approves uint256 max to feesto address (deployer) which let it get drained

LP tokens can be withdrawn but liq can’t be removed for the same reason, there are no funds left in the pool

Source: @overnight_fi team member pic.twitter.com/QyZJZwCrPx

— yieldfarming (@delucinator) April 26, 2023

Commentators also questioned the quality of CertiK’s audit.

100% RUG ?, Their contract approves the tokens to the deployer. Bizarrely, @CertiK ‘s audit has no hints pic.twitter.com/WCtdT2p2ib

— ConnorRepeat ? (@ConnorRepeat) April 26, 2023

Earlier this April, the DeFi protocol Terraport Finance on the Terra Classic network was hacked for $2 million ten days after its official launch.