zkSync DEX Merlin hacked for $1.82 million immediately after CertiK audit

zkSync decentralized exchange (DEX) Merlin was hacked shortly after an audit by smart contract auditor CertiK. Reportedly, the threat actor drained the liquidity pool (LP) and made away with $1.82 million. As the DEX continues to analyze the attack, the team has cautioned everyone linked to its site to revoke their wallets and change the status of their sign permission.

Blockchain security firm PeckShield has revealed that the attacker is already sending the loot to exchanges, citing $133,800 USDC sent to MEXC Global and $31,000 USDC to Binance.

PeckShield has also provided the hacker's addresses, indicating that two addresses were responsible for the exploit. Reportedly, the first address, which starts with 0x2744, took $850,000 USDC before bridging it to Ethereum. The other address, starting with 0x2744d62, looted $844,000 USDC.

The fact that the attacker drained the liquidity pools indicates that they somehow engineered the LP's smart contracts.

Considering CertiK also audited Terra, the attack has raised concerns over the validity of the firm's audits, despite it being one of the biggest brands in the blockchain security space. Other CertiK clients that suffered hacks post-audit include PancakeBunny, Uranium Finance, and Meerkat Finance. This has cast doubt on the quality of CertiK audits.  

Two views have already questioned the Certik audit, suggesting that Merlin could be a rug.  Another said:

In the Merlin code, there is a "backdoor" code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, in addition to the fee in the swap function.

CertiK defends itself and says the audit job was well done

According to CertiK, an initial probe into the attack shows that the root cause was a potential private key management issue, not an exploit.

Notably, the blockchain security firm says it had highlighted the "centralization risk" in its audit under the "Decentralization Efforts" section, adding, "Audits cannot prevent private key issues. The auditor has also committed to sharing relevant information with the authorities if there is suspicion of foul play.

In an April 26 interview with Chinese media, Certik founder and professor at Columbia University, Gu Ronghui, proudly said:

We (CertiK) have turned blockchain security into a track almost by ourselves, which has attracted a lot of attention.

Gu also boasted about CertiK's 70% share of the crypto security market, saying that the auditing firm had reduced the cost of Web3 security audits by more than 90%. 

Notwithstanding, the crypto community will be doubly cautious about the Merlin platform, whose main token is MAGE, currently in the public sale phase. Among the main offerings of the DEX is Core Farming Pools, which according to officials, would only be launched after the audit is completed to reassure investors.

Notably, the hack happened on the same day this interview was published. CertiK will remain under the microscope.