​Merlin team reveals staff involvement in $2 million exchange hack

What’s new? Representatives of the decentralized exchange (DEX) Merlin said that members of its tech team were involved in the ~$2 million hack. They said they are working with cybersecurity company CertiK, which was auditing the exchange’s smart contract code the night before the incident, to compensate all affected users. In addition, the project’s team has requested assistance in the investigation from the authorities in Serbia, where the developers involved in the theft of funds reside.

Merlin's Post-Mortem it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform. In the early hours of this morning the several members of the Back-End Team drained all of our Contracts. — Merlin (@TheMerlinDEX) April 26, 2023

What else is known about the situation? On April 26, Merlin’s main liquidity pools were drained and users were advised to withdraw approvals for all smart contracts. According to Merlin, members of the tech team manipulated contracts in the platform’s interface to gain access to the pools.

They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts. — Merlin (@TheMerlinDEX) April 26, 2023

Merlin noted that Certik conducted a full audit of the platform’s contracts, but the developers also had access to the exchange’s web host and could have manipulated the code. The company acknowledged that there had been an oversight in terms of the authority given to staff. “We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in,” the company added.

CertiK representatives, for their part, initially cited a problem in private key management as the cause of the breach. Later they confirmed their cooperation with Merlin and urged the rogue developers to return the money, leaving 20% as a reward. CertiK intends to help the victims and track down the attackers. The company pledged to provide a compensation plan at a later date.

2/ We urge the rogue developers to accept a 20% white hat bounty. Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull. More compensation details will be released. — CertiK (@CertiK) April 26, 2023

On April 9, hackers transferred almost $13 million, or 23% of its total digital assets, from the hot wallet of South Korean cryptocurrency exchange GDAC. DEX SushiSwap was exploited the same day, losing $3,3 million in ETH due to a smart contract error.

On April 14, crypto exchange Bitrue discovered a vulnerability in one of its hot wallets. With it, attackers withdrew assets worth about $23 million.