- CertiK is working out a compensation plan for the $1.82 million hack against Merlin DEX.
- The blockchain security firm is working with zkSync to implement the base protocol for the Merlin platform.
- They have conceded a 20% white hat bounty, urging the exploiter to return 80% of the stolen funds.
CertiK, a blockchain security firm, has devised a compensation plan for the exploit that saw decentralized exchange Merlin lose $1.82 million worth of assets. In a recent development, the Web3 security firm has urged the exploiter to return 80% of the stolen funds with an offer of 20% as a white hat bounty. Notably, it is believed that the hacker is a rogue developer.
1/ CertiK is exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull. Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down.
— CertiK (@CertiK) April 26, 2023
⬇️⬇️⬇️
CertiK is collaborating with zkSync Era, the Ethereum layer-2 (L2) scaling platform atop which Merlin is built, to implement the compensation plan. The two will cover the funds lost during the public sale of Merlin DEX’s MAGE tokens.
As reported earlier, CertiK assured that it was probing the exploit. Among the finding is that the exploiter is based in Europe. The firm has brought in the services of law enforcement and Merlin team members to structure the compensation plan. Citing the security firm:
Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful.
Despite platform users being outside of the scope of the smart contract audit, CertiK has indicated the dedication of private key privileges to help the affected users.
Merlin exploit background
Merlin lost almost $850,000 worth of USD Coin (USDC), among other relatively illiquid tokens, on Wednesday, April 26, the third day after the public sale of its MAGE tokens premiered. According to blockchain data, a threat actor with control over the liquidity pool (LP) was able to extract the funds.
We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.
— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB
Merlin’s code auditor, CertiK, responded with its initial findings by calling out a “potential private key management issue.” Notwithstanding, Crypto Twitter has already called to question the CertiK audit, alleging that there might be a rug pull. Thanh Nguyen, the founder of Verichains, has implied the presence of a “backdoor” in Merlin’s code, saying:
[It is a] clear security risk as there is no use case that requires its approval.
1/4 @WuBlockchain reported zkSync DEX Merlin, which got CertiK audit, was hacked. @Certik responded (https://t.co/XzFPDlgim5), stating that it wasn't a security issue but a centralization issue. However, we believe this was a clear case of intentional backdoor insertion instead. pic.twitter.com/iFicg7nwwW
— Thanh Nguyen (@redragonvn) April 26, 2023
In a statement, CertiK noted, “While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls.” Accordingly, the blockchain security firm has cautioned users to go for projects with a ‘KYC Badge,’ which provides extra security, indicating that the project has voluntarily undergone a Know Your Customer (KYC) evaluation process.
CertiK says that KYC helps reduce and avoid the risk of insider threats, such as rug pulls, besides committing to providing further updates about its compensation plan and the investigation.
In case you missed the story, find it here zkSync DEX Merlin hacked for $1.82 million immediately after CertiK audit
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.
If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.
FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.
The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.
Recommended Content
Editors’ Picks
Raydium soars 18% as Upbit lists RAY/KRW and RAY/USDT trading pairs
Raydium (RAY) price rallies more than 18% on Thursday after rebounding from its key support the previous day. The main reason for RAY’s rally is that Upbit, South Korea’s largest cryptocurrency exchange, announced the listing of RAY trading pairs.
Ethereum Price Forecast: ETH stays muted as uncertainty from Middle East crisis weighs on market sentiment
Ethereum (ETH) held steady around $2,500 in the early Asian session on Thursday following mixed activity across its on-chain data. Ethereum is experiencing calmness in its on-chain metrics following an extended period of price consolidation that has spanned the past six days after dropping from above $2,700.
Top 3 Crypto Gainers: RAY, AERO, SPX shrug off market volatility, record double-digit growth
Decentralized Finance (DeFi) tokens such as Raydium (RAY), Aerodrome Finance (AERO), and SPX6900 (SPX) outperformed the broader cryptocurrency market over the last 24 hours, following the Federal Reserve's decision to keep the policy rates unchanged at 4.25%-4.5% in the June policy meeting.
Bitcoin, Ethereum, XRP hold steady as Federal Reserve leave rates unchanged
Bitcoin (BTC) and altcoins, including Ethereum (ETH), XRP, and Solana (SOL), saw slight movements on Wednesday as the crypto market stayed resilient following the Federal Reserve's (Fed) decision to leave rates unchanged at 4.25%-4.50%.
Bitcoin: BTC could slump to $100K amid Trump-Musk tussle
Bitcoin (BTC) tumbled to a low of $101,095 on Friday amid volatility in the market. The effect of the tussle between United States (US) President Donald Trump and Tesla Chief Elon Musk negatively influenced the NASDAQ and Tesla's stock price on Thursday, although both are recovering on Friday.
The Best brokers to trade EUR/USD
SPONSORED Discover the top brokers for trading EUR/USD in 2025. Our list features brokers with competitive spreads, fast execution, and powerful platforms. Whether you're a beginner or an expert, find the right partner to navigate the dynamic Forex market.