Last Updated on April 27, 2023 by Bitfinsider

The crypto security firm that analyzed the code of the Merlin decentralized exchange disclosed intentions to reimburse victims after the project’s team fled with roughly $2 million days after the assessment was completed.

CertiK, a well-known security and smart-contract audit firm, claimed in a tweet that it “is exploring a community compensation plan” after members of the Merlin team stole funds from the project’s smart contract this week. More information regarding the strategy will be revealed in the future, according to the statement.

Initially thought to be a hack, security specialists such as CertiK finally found that it was a rug pull — an exit scam common in the DeFi field in which one or more members of a crypto project grab control and steal cash locked within the protocol. The problem occurred just a few days after CertiK performed a code audit for Merlin, prompting Crypto Twitter users to blame the security auditor.

“As CertiK works tirelessly to resolve the situation, the company will continue to provide updates and ensure transparency throughout the process,” CertiK said in a statement to The Block. “We are committed to protecting the community and maintaining the highest level of security standards in the blockchain ecosystem.”

CertiK certifies smart contracts for DeFi projects and raised $88 million in investment at a $2 billion valuation last year. Because blockchain technology is immutable, projects frequently engage audit services like CertiK to verify their commitment to security procedures before implementing a smart contract. CertiK was also contacted by the developers of Merlin, a decentralized exchange that ran on the zkSync Layer 2 blockchain, for an audit of their smart contract.

CertiK stated that it would work with law enforcement to find the rogue developers involved for the scam and has offered a 20% bounty (about $400,000) for the restitution of the stolen monies.

CertiK’s audit of Merlin did flag potential issues, including as the developers’ privileged access to monies deposited in the smart contract. Nonetheless, those who believed in the concept put monies in its liquidity pools.

CertiK acknowledged the challenge of detecting hostile developer intentions, adding that “while audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls.”