Following a recent code audit by Certik, it seems that Merlin, a decentralized exchange utilizing zkSync, has suffered a hack resulting in a loss of more than $1.82 million. According to Certik’s Twitter account, they are currently investigating the incident, and their initial findings indicate a possible problem with private key management, rather than a code vulnerability being the cause.
Certik said: “We’re actively investigating the Merlin DEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause. While audits cannot prevent private key issues, we always highlight best practices for projects. Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates.”
Malicious Code Behind the Fund Depletion?
In the meantime, eZKalibur, a decentralized exchange and launchpad using zkSync and sharing a similar codebase with Camelot’s DEX, like Merlin, has reported that it has pinpointed the malicious code behind the fund depletion.
As it questioned the caliber of Certik’s audit, it stated: “These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract’s address. In this case, the feeTo address could potentially call the transferFrom function on the respective tokens to transfer tokens from the contract’s address to itself.”
Although Certik mentioned that it identified Merlin’s centralization risk during its audit of the DEX, some are of the opinion that the risk of a rug pull should have been emphasized. eZKalibur remarked that a discovery of this nature should be classified as at least “major,” if not “critical.”
Furthermore, it asserted that it cannot be classified as a mere decentralization issue, since the absence of a timelock could result in an instantaneous depletion of all funds deposited on the protocol, which is precisely what occurred. The developers of Merlin have requested that users revoke the wallet permissions linked to the Merlin website. They state that they are currently analyzing the protocol’s exploitation.