{"id":77944,"date":"2023-04-27T13:52:16","date_gmt":"2023-04-27T10:52:16","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=77944"},"modified":"2025-09-11T02:09:50","modified_gmt":"2025-09-10T23:09:50","slug":"merlin-dex-and-certik-pledge-2m-restitution-to-victims-of-the-hack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/merlin-dex-and-certik-pledge-2m-restitution-to-victims-of-the-hack\/","title":{"rendered":"Merlin DEX and CertiK pledge $2m restitution to victims of the hack"},"content":{"rendered":"<p>Developers of the zkSync Era-based decentralized exchange Merlin disclosed details of the ~$2 million exploit and said they planned to reimburse user losses.\u00a0\u00a0<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">Merlin\u2019s Post-Mortem <\/p>\n<p>it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform. <\/p>\n<p>In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.<\/p>\n<p>\u2014 Merlin (@TheMerlinDEX) <a href=\"https:\/\/twitter.com\/TheMerlinDEX\/status\/1651281814395187200?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>On 26 April, the main liquidity pools of the newly launched platform <a href=\"https:\/\/forklog.com\/en\/news\/merlin-on-zksync-era-hacked-for-1-82-million-after-certik-audit\">were emptied<\/a>.<\/p>\n<p>The team disclosed the exploit and urged users to revoke approvals for all smart contracts. Merlin did not disclose further details.<\/p>\n<p>Users noted that on 24 April, the day before the DEX launch, CertiK completed a code re-audit of the platform. Several researchers found a vulnerability in the software that could potentially allow all funds to be drained from the pools. Some users suspected the project of a rug-pull.<\/p>\n<p>Merlin said that user funds were drained by several members of the technical team.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThey conducted several on-chain transactions to drain the pools, execute sales and manipulate our frontend contracts. This was done through a function that allowed calls to be made for all pairs on the platform,\u201d the exchange\u2019s representatives said.<\/p>\n<\/blockquote>\n<p>There was a \u201cclear overreach in the scope of control\u201d of this option over all pools by the CertiK auditors. However, Merlin also acknowledged that the backend developers had access to the code and could make changes.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.<\/p>\n<p>\u2014 Merlin (@TheMerlinDEX) <a href=\"https:\/\/twitter.com\/TheMerlinDEX\/status\/1651281821001187357?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The exchange published the GitHub accounts of programmers suspected of fraud. It asked Serbian authorities to assist with the investigation, where the group is believed to reside.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">Back-End Technical Team Committers:<a href=\"https:\/\/t.co\/mArANNfOsf\">https:\/\/t.co\/mArANNfOsf<\/a><a href=\"https:\/\/t.co\/JXG4E8wpnN\">https:\/\/t.co\/JXG4E8wpnN<\/a><a href=\"https:\/\/t.co\/iCc761ad8i\">https:\/\/t.co\/iCc761ad8i<\/a><a href=\"https:\/\/t.co\/m4JFK9bSl3\">https:\/\/t.co\/m4JFK9bSl3<\/a><\/p>\n<p>\u2014 Merlin (@TheMerlinDEX) <a href=\"https:\/\/twitter.com\/TheMerlinDEX\/status\/1651281816140107776?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Merlin representatives noted that work on a compensation plan is being carried out in conjunction with CertiK. The audit firm confirmed its possible participation in the payout.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWe urge the rogue developers to accept a 20% bounty as white hat. Although we raised private-key privilege issues in the audit, we want to help victims and are determined to track down those behind this scam,\u201d CertiK said.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">2\/ We urge the rogue developers to accept a 20% white hat bounty. Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull. More compensation details will be released.<\/p>\n<p>\u2014 CertiK (@CertiK) <a href=\"https:\/\/twitter.com\/CertiK\/status\/1651276443622555654?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In April, the attacker who stole <a href=\"https:\/\/forklog.com\/en\/news\/safemoon-dex-loses-about-9m-in-hack\">around $9 million<\/a> from the SafeMoon liquidity pool on BNB Chain agreed to return <a href=\"https:\/\/forklog.com\/en\/news\/safemoon-reaches-deal-with-hacker-to-recover-80-of-funds\">80%<\/a> of the funds in exchange for dropping charges.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Developers of the zkSync Era-based DEX Merlin disclosed details of the ~$2 million exploit and said they planned to reimburse user losses.<\/p>\n","protected":false},"author":1,"featured_media":77945,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1204,1154],"class_list":["post-77944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-certik","tag-crimes"],"aioseo_notices":[],"amp_enabled":true,"views":"30","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/77944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=77944"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/77944\/revisions"}],"predecessor-version":[{"id":77946,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/77944\/revisions\/77946"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/77945"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=77944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=77944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=77944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}