​Merlin exchange was hacked immediately after a security audit by CertiK

What’s new? Merlin, a decentralized exchange (DEX) powered by zkSync (a solution for scaling the Ethereum blockchain), was hacked immediately after passing a smart contract code audit by cybersecurity company Certik. The total damage from the incident exceeded $1,82 million.

Explorer’s data

What else is known? CertiK officials reported that they are investigating the incident, and early findings point to a potential private key management problem, and it is not necessarily related to a code exploit.

We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.While audits cannot prevent private key issues, we always highlight best practices to projects.Should any foul… — CertiK (@CertiK) April 26, 2023

CertiK pointed out that while an audit cannot prevent problems with private keys, experts always highlight best practices to projects. If fraud is detected, CertiK will share the information with the appropriate authorities.

Meanwhile, representatives of eZKalibur, another zkSync-based DEX, said that they discovered malicious code responsible for the loss of funds.

📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB — eZKalibur ∎ (@zkaliburDEX) April 26, 2023

They wrote that two lines in the code give permission to a certain address to transfer an unlimited number of tokens from a contract address. eZKalibur questioned the quality of CertiK’s audit. According to the experts, the discovery of such a problem in the code should have been marked major or even critical by cybersecurity experts.

“It can’t be marked as a hidden and simple decentralization issue since, without a timelock, it could lead to an immediate drain of the totality of the funds deposited on the protocol, which is exactly what happened,” an eZKalibur representative told The Block in a comment.

Merlin developers urged users to disconnect wallets from the exchange’s website.

On April 14, crypto exchange Bitrue discovered a vulnerability in one of its hot wallets. Hackers used it to withdraw about $23 million worth of digital assets.

On April 13, PeckShield experts reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000.

And on April 9, hackers transferred nearly $13 million, or 23% of its total digital assets, from the hot wallet of South Korean crypto exchange GDAC. On the same day, DEX SushiSwap was exploited. The platform lost $3,3 million in ETH due to an error in the smart contract.