Merlin, an Ethereum-based decentralized exchange (DEX) utilizing zkSync layer-2 protocol, suffered an exploit in which roughly $1.8 million in funds were lost.
Developer announcement 📢
— Merlin (@TheMerlinDEX) April 26, 2023
Can everyone revoke connected site access on your wallets/sign permission https://t.co/YRxH7IUU4T
We are analysing the exploit of our protocol and would stress that everyone carries out this step as a precaution.
More updates will be provided
, the firm which issued the , claimed in its preliminary investigation that the incident may have originated from a private key management issue, rather than an exploit. The firm highlighted the "centralization risk" in its audit while also emphasizing that audits, on their own, are not designed to prevent private key issues. CertiK has assured that it will share relevant information with authorities if foul play can be suspected, or if insider information was possibly leaked.
CertiK is a , and yet despite its defense on the matter, others have questioned the validity of the audit. eZKalibur, another DEX, claims to have identified the malicious code responsible for the fund drainage and raised questions on the quality of CertiK's audit.
According to eZKalibur, the problematic code lies within the initialize function, where two lines of code grant approval for the feeTo address to transfer an unlimited amount (type(uint256).max) of token0 and token1 from the contract's address. In this case, the feeTo address could potentially call the transferFrom function on the respective tokens, allowing the transfer of tokens from the contract's address to itself.
This finding raises questions about the thoroughness of CertiK's audit, as the risk of a rug pull, which is a significant concern, was not explicitly highlighted in the reporrt.
📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.
— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB
As the debate over the auditing process and centralization risks continues, blockchain data indicates that two addresses were responsible for the exploit. An address starting with 0x2744 took $850,000 USDC and bridged it to Ethereum, while another address, 0x2744d62, stole $844,000 USDC.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
North Korean Hackers Target Crypto Users with Chrome Vulnerability
Pump, Dump, and Jump: Trading Firm Faces Lawsuit Over Token Manipulation