Home » zkSync: DEX Merlin rug pull for $1.82 million just after receiving an audit

zkSync: DEX Merlin rug pull for $1.82 million just after receiving an audit

by Thomas

Merlin, a new DEX launched on zkSync, suffered a rug pull of nearly $2 million during its public sale of MAGE tokens. The technical team responsible had implemented malicious code despite a very recent audit by blockchain security firm CertiK. Legal action has been taken against those responsible, who are believed to be based in Serbia.

The Merlin project gets a rug pull

A strange rug pull occurred yesterday, Wednesday 26 April, on the Merlin decentralised exchange (DEX), recently launched on the zkSync network. The DEX, which had just undergone an audit by blockchain security firm CertiK, saw its liquidity pools emptied to the tune of just under $2 million in the middle of a public sale of its MAGE token.

At first, the finger was naturally pointed at the audit, as a hack seemed the most likely hypothesis. For its part, CertiK initially indicated that its initial conclusions pointed more towards “a potential private key management problem” rather than a hack or the exploitation of a flaw.

In the end, it would appear that it was the technical team in charge of the project that implanted malicious code in the DEX structure.

“It is with the greatest regret that we have to inform you of a major failure in the structural integrity and controls of the Merlin platform. In the early hours of this morning, several members of the Back-End team emptied all of our contracts. “

The project team adds, further on:

“We submitted all the contracts intended for use on our platform to Certik who carried out a full audit. However, there was a clear oversight of the overriding power that the _owner [line of code concerned, editor’s note] had over the pools. In addition, the back-end team, who also have access to our hosting provider, manipulated our code without their knowledge to achieve their goal. “

Prosecution of perpetrators

In its statement, the Merlin team adds that the technical team responsible for the rug pull is believed to be located in Serbia, and that the local authorities have been contacted accordingly. In addition, the funds continue to be traced in cooperation with on-chain analysts.

CertiK has since issued a statement informing its community that the stolen funds will be reimbursed to their holders, and that “further information” will be provided on this subject. CertiK states that “even after raising the private key issues” in its audit, it wishes to participate in the reimbursement of damaged users.

A deal was offered to the guilty individuals: the return of 80% of the funds in exchange for the remaining 20% and the dropping of all charges. DEX Merlin, which had just launched, now has no liquidity, while the sale of its token is still ongoing

Related Posts

Leave a Comment