Last Updated on April 26, 2023 by Bitfinsider
Certik tweeted that it is examining the incident and that preliminary findings point to a problem with private key management rather than a code vulnerability. “While audits cannot prevent private key issues, we always highlight best practices to projects,” stated Certik. “If any wrongdoing is discovered, we will work with the appropriate authorities and share relevant information.” Keep an eye out for updates.”
Meanwhile, eZKalibur, a zkSync decentralized exchange and launchpad that, like Merlin, forked a portion of the DEX Camelot contract, claims to have uncovered the malicious code responsible for the cash drain.
“These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract’s address,” it noted, while calling Certik’s auditing quality into doubt. “In this case, the feeTo address could potentially call the transferFrom function on the respective tokens in order to transfer tokens from the contract’s address to itself.”
Certik tweeted that it identified Merlin’s centralization risk in its DEX audit, but some believe that the danger of a rug pull should have been noted as well.
Merlin developers have since asked users to revoke wallet permissions connected to its website. They claim to be analyzing the exploit of the protocol.
Hardware wallets are safe and secure devices that can be used offline. They keep your cryptocurrency offline, making it impossible for you to be hacked. To find out more on the leading hardware wallets, you may view our reviews here: Ledger & Trezor
Disclaimer: The views and opinions expressed by the author, or any people mentioned in this article, are for informational purposes only, and they do not constitute financial, investment, legal, tax or other advice. Investing in or trading cryptocurrency or stocks comes with a risk of financial loss.