Merlin team reveals staff involvement in $2 million exchange hack
The developers involved in the theft of funds are believed to be in Serbia
27.04.2023 - 12:40
206
3 min
0
What’s new? Representatives of the decentralized exchange (DEX) Merlin said that members of its tech team were involved in the ~$2 million hack. They said they are working with cybersecurity company CertiK, which was auditing the exchange’s smart contract code the night before the incident, to compensate all affected users. In addition, the project’s team has requested assistance in the investigation from the authorities in Serbia, where the developers involved in the theft of funds reside.
Merlin's Post-Mortem it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform. In the early hours of this morning the several members of the Back-End Team drained all of our Contracts. — Merlin (@TheMerlinDEX) April 26, 2023
What else is known about the situation? On April 26, Merlin’s main liquidity pools were drained and users were advised to withdraw approvals for all smart contracts. According to Merlin, members of the tech team manipulated contracts in the platform’s interface to gain access to the pools.
They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts. — Merlin (@TheMerlinDEX) April 26, 2023
Merlin noted that Certik conducted a full audit of the platform’s contracts, but the developers also had access to the exchange’s web host and could have manipulated the code. The company acknowledged that there had been an oversight in terms of the authority given to staff. “We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in,” the company added.
CertiK representatives, for their part, initially cited a problem in private key management as the cause of the breach. Later they confirmed their cooperation with Merlin and urged the rogue developers to return the money, leaving 20% as a reward. CertiK intends to help the victims and track down the attackers. The company pledged to provide a compensation plan at a later date.
2/ We urge the rogue developers to accept a 20% white hat bounty. Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull. More compensation details will be released. — CertiK (@CertiK) April 26, 2023
On April 9, hackers transferred almost $13 million, or 23% of its total digital assets, from the hot wallet of South Korean cryptocurrency exchange GDAC. DEX SushiSwap was exploited the same day, losing $3,3 million in ETH due to a smart contract error.
On April 14, crypto exchange Bitrue discovered a vulnerability in one of its hot wallets. With it, attackers withdrew assets worth about $23 million.
Useful material?
Market
Analysts note that from 2024 to 2030, tokens worth $155 billion will be unlocked
May 17, 2024
Technologies
The new mechanism has already made it possible to calculate over tens of millions of fraudulent addresses
May 16, 2024
Incidents
The amount of damage amounted to $25 million in cryptocurrencies
May 16, 2024
Market
FTX customers will be compensated in cash, unlike Mt. Gox and Gemini customers who will receive cryptocurrencies
May 16, 2024
Technologies
It is available to crypto wallet users worldwide as an additional feature
May 15, 2024
Market
The ex-official known for his initiatives to explore the potential of blockchain in the financial system has joined the board of directors of a fintech company
May 14, 2024