On Wednesday, reports emerged that decentralized exchange Merlin, which was launched earlier this month, saw its liquidity pool drained of roughly $1.8 million. Auditing firm CertiK is now accusing rogue developers of the hack. The company had carried out an audit of the exchange a few days before it launched.
In a long Twitter thread, CertiK claimed that its initial investigations show the rogue developers reside in Europe and that it has already reached out to law enforcement to help track them down. Meanwhile, Merlin itself is accusing some of its back-end developers of stealing the funds. The decentralized exchange says it’s working on a compensation plan to make whole the affected users.
Built on an Ethereum scaling solution called ZkSync, Merlin began its operations after publicly offering its native token, MAGE. As mentioned earlier, the exchange contracted CertiK to audit its smart contracts, a practice that crypto companies consider important since it ensures the users’ assets are safe and helps build trust with their customers.
CertiK says the exploit may have resulted from a private key management problem, which the auditor claims it highlighted in its report.
Merlin has asked users to disconnect their wallets from the platform as a precautionary measure. The exchange tweeted that it’s conducting an internal investigation to find out the root cause of the exploit and would give updates in the coming days.
Centralization Issues
Several blockchain security firms say they have discovered massive centralization issues on Merlin’s smart contracts. Bug bounty protocol Immunefi, for example, reports an address that receives pool fees was granted access to the exchange’s liquidity pool. Therefore, there is a chance it may have drained the funds.
Meanwhile, eZKalibur, another decentralized exchange that runs on ZkSync, tweeted that it had discovered the malicious code used to drain funds from the Merlin smart contracts.
What Protocols Should Do to Protect Their Smart Contracts
Immunefi’s smart contract engineer Goncalo Magalhaes has asked crypto projects to adopt effective key management practices for their addresses. He suggested the use of multisig wallets, in which transactions require the approvals of several people before they are executed. Otherwise, the centralization of private keys will continue making it easy for hackers to exploit smart contracts.
The CEO of audit firm BlockSEC, Andy Zhou, argues that while audits on smart contacts help identify vulnerabilities and protect customer assets, people usually ignore the prospect that the project itself may be malicious, intending to rugpull its users. He urges other auditors to always check whether smart contracts include codes that allow developers to withdraw all users’ funds and share such information publicly.
Magalhaes has also called for crypto projects to contract more than one auditor so that when one fails to detect vulnerabilities, the others may identify them.
SureTradeGroup.com is not responsible for the content, accuracy, quality, advertising, products or any other content posted on the site. Some of the content on this site is paid content that is not written or posted by our writers or editors and the opinions expressed do not reflect the opinions of this website. Any disagreement you may have with brands or companies mentioned in articles will need to be taken care of directly with those specific brands and companies. The responsibility of anyone who may click links in our articles and ultimately sign up for that product or service is their own. Forex, Stocks, Cryptocurrencies, NFTs and Dogital Tokens are all a high-risk asset, investing in them can lead to losses. Readers should do their own research before taking any action.