Merlin exchange was hacked immediately after a security audit by CertiK
The damage from hacking exceeds $1б82 million
26.04.2023 - 13:40
267
3 min
0
What’s new? Merlin, a decentralized exchange (DEX) powered by zkSync (a solution for scaling the Ethereum blockchain), was hacked immediately after passing a smart contract code audit by cybersecurity company Certik. The total damage from the incident exceeded $1,82 million.
What else is known? CertiK officials reported that they are investigating the incident, and early findings point to a potential private key management problem, and it is not necessarily related to a code exploit.
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.While audits cannot prevent private key issues, we always highlight best practices to projects.Should any foul… — CertiK (@CertiK) April 26, 2023
CertiK pointed out that while an audit cannot prevent problems with private keys, experts always highlight best practices to projects. If fraud is detected, CertiK will share the information with the appropriate authorities.
Meanwhile, representatives of eZKalibur, another zkSync-based DEX, said that they discovered malicious code responsible for the loss of funds.
📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB — eZKalibur ∎ (@zkaliburDEX) April 26, 2023
They wrote that two lines in the code give permission to a certain address to transfer an unlimited number of tokens from a contract address. eZKalibur questioned the quality of CertiK’s audit. According to the experts, the discovery of such a problem in the code should have been marked major or even critical by cybersecurity experts.
“It can’t be marked as a hidden and simple decentralization issue since, without a timelock, it could lead to an immediate drain of the totality of the funds deposited on the protocol, which is exactly what happened,” an eZKalibur representative told The Block in a comment.
Merlin developers urged users to disconnect wallets from the exchange’s website.
On April 14, crypto exchange Bitrue discovered a vulnerability in one of its hot wallets. Hackers used it to withdraw about $23 million worth of digital assets.
On April 13, PeckShield experts reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000.
And on April 9, hackers transferred nearly $13 million, or 23% of its total digital assets, from the hot wallet of South Korean crypto exchange GDAC. On the same day, DEX SushiSwap was exploited. The platform lost $3,3 million in ETH due to an error in the smart contract.
Useful material?
Telegram 
Twitter Incidents
Users were urged to withdraw funds before the site was completely shut down on November 7
May 8, 2024
Market
The outflow persists for four weeks
May 7, 2024
Market
The assets were valued at $630 000 at the time of receipt
May 6, 2024
Incidents
Roger Ver has been accused of not paying taxes
May 1, 2024
Mining
After the publication of the financial report, the company’s shares added 5%
Apr 30, 2024
Market
The commission had previously warned the developer of potential enforcement actions
Apr 29, 2024
Cryptocurrency rates
-
Bitcoin
$61 481
BTC
-1.71%
-
Ethereum
$2 993.95
ETH
-1.08%
-
BNB Smart Chain
$586.93
BSC
+1.26%
-
Ripple
$0.519591
XRP
-0.87%
-
Dogecoin
$0.14601
DOGE
-3.37%
-
Cardano
$0.462516
ADA
+4.62%
-
Polkadot
$7.02
DOT
+0.15%
-
Bitcoin Cash
$451.99
BCH
-3.25%
-
Litecoin
$81.93
LTC
+1.18%
-
Stellar XLM
$0.107389
XLM
-0.66%