zkSync-based DEX Merlin exploited for $1.82m despite CertiK audit

Merlin, a decentralized exchange built on the newly launched zkSync Era blockchain, saw its liquidity pool compromised on Wednesday during a public sale of its MAGE tokens.

An anonymous hacker with notebook, art generated by Midjourney

Merlin, a decentralized exchange that touts itself as an innovative solution for real yield and liquidity lodging, suffered a $1.82 million hack on April 26. The attacker drained around $850,000 in USDC and grabbed some other relatively liquid tokens along the way.

Crypto security firm PeckShield was first to report the hack, tweeting the exploiter’s address. The attacker was fast to bridge their USDC haul from zkSync to Ethereum and started cashing out via CEXs, transferring 31k USDC to Binance and 133k to MEXC.

Binance representative and r/binance moderator symbiotic_bnb said the exchange is aware of the case and is investigating. “While it looks like a Binance.com deposit on-chain, it was actually a deposit to Mandala Exchange, which uses our Binance Cloud product,” they stated.

Merlin community has asked USDC issuer Circle to blacklist wallets controlled by the exploiter and freeze stolen funds, but it's unclear whether a stablecoin provider would actually comply with the request. Unlike USDT issuer Tether, which is fast to blacklist when it comes to exploits, Circle only blocks addresses when they’re legally compelled to do so.

“Circle and the Centre Consortium only block addresses when we are legally required. This includes court-ordered interventions as well as sanctions compliance following U.S. and international rules,” Circle’s Developer Q & A reads.

Merlin developers said they are analyzing the exploit and promised to provide further details on the incident, urging all DEX customers to revoke the site access in their wallets.

Ironically, Merlin’s Medium post from yesterday claims that the protocol went through a rigorous audit from CertiK to ensure that investors “have peace of mind.”

“On zkSync, many projects have rushed the launch and public sale, with some situations leading to investors losing funds in the process. However, the Merlin team values security as its utmost priority,” the blog post reads.

Indeed, CertiK has audited Merlin’s smart contract code and found six potential code bugs, including one major, which has since been resolved. CertiK’s security ranking, which measures code security, fundamental health, operational resilience, community trust, market stability, and governance strength, gave the protocol a score of 47 out of 100.

Read also: FBI confirms Lazarus Group was behind the $100m Harmony exploit

Although CertiK is generally considered a trustworthy crypto security company, a number of projects it audited in the past were later exploited. The most recent example is SafeMoon (SFM), a DeFi protocol on BNB chain that was hacked for $8.9 million on March 28 but struck a deal with a hacker to return 80% of funds in exchange for a 20% bounty.

CertiK also audited Rubic, a cross-chain aggregator that lost over $1.5 million in ETH in November 2022, and DeFi protocol Defrost Finance, which suffered a $12 million flash loan attack in December 2022. The latter, however, may have been a rug pull, as CertiK said it was unable to contact members of the team.

As the crypto community grows more suspicious of smart contract audits, more effort should be put into restoring this trust, since this process is a crucial part of ensuring the security and reliability of web3 protocols and applications.