Certik To Launch Victim Aid Fund For $2m Merlin DEX Exploit

Table of Contents

• CertiK Working To Recover Stolen Funds
• USDC Stolen During Public Sale
• CertiK’s Audit Under Question
• CertiK’s Plan Offers 20% Bounty

The security firm CertiK is planning to launch a victim aid fund to return the funds stolen in the $2 million Merlin DEX exploit. 

CertiK Working To Recover Stolen Funds

The blockchain security company has jumped in to help the Merlin decentralized exchange in its dire situation. The latter lost around $2 million during a public sale of its MAGE token, despite being audited by the smart-contract auditor, CertiK. To help recover a portion of the lost funds, CertiK is launching a victim aid fund. 

The security firm has revealed that it is investigating the scam and has even worked with some members of the Merlin team to launch the victim aid fund. 

On April 26th, CertiK said, 

“Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful.”

USDC Stolen During Public Sale

The decentralized exchange was conducting a three-day public sale of its MAGE token when it was targeted by a rogue developer. The latter made away with around $850,000 of USD Coin and other relatively illiquid tokens. To sum it up, a total of $1.8 million worth of tokens were stolen in the attack. CertiK has dived into the blockchain data available on the attack and surmised that the culprit behind the attack must be someone who had control over the liquidity pool and could easily remove the funds. 

CertiK’s Audit Under Question

The root of the hack was uncovered by the eZKalibur team, which is a community-driven decentralized exchange. Their initial investigations helped them identify the malicious code responsible for the depletion of funds. Specifically, the initialize function contains two lines of code that grant approval to the feeTo address, allowing it to transfer an unlimited amount of token0 and token1 from the contract's address. This enables the feeTo address to call the transferFrom function and transfer tokens from the contract's address to itself.

The eZKalibur team had also questioned CertiK’s auditing, which had given the Merlin DEX a high ranking before the attack happened. 

CertiK’s Plan Offers 20% Bounty

The CertiK team is trying to appeal to the rogue developer with a victim aid fund, where they would get to keep a white hat bounty of 20% of the stolen funds after returning 80% to the exchange platform. According to CertiK's preliminary findings, the developers of the project are located in Europe, and the company is collaborating with law enforcement agencies to locate them.

The security firm also said, 

“Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull.”

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.