Last Updated on April 26, 2023 by Bitfinsider

Merlin, a zkSync-based decentralized exchange, appears to have been hacked for more than $1.82 million shortly after receiving a code audit from smart-contract auditor Certik.

Certik tweeted that it is examining the incident and that preliminary findings point to a problem with private key management rather than a code vulnerability. “While audits cannot prevent private key issues, we always highlight best practices to projects,” stated Certik. “If any wrongdoing is discovered, we will work with the appropriate authorities and share relevant information.” Keep an eye out for updates.”

Meanwhile, eZKalibur, a zkSync decentralized exchange and launchpad that, like Merlin, forked a portion of the DEX Camelot contract, claims to have uncovered the malicious code responsible for the cash drain.

“These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract’s address,” it noted, while calling Certik’s auditing quality into doubt. “In this case, the feeTo address could potentially call the transferFrom function on the respective tokens in order to transfer tokens from the contract’s address to itself.”

Certik tweeted that it identified Merlin’s centralization risk in its DEX audit, but some believe that the danger of a rug pull should have been noted as well.

Merlin developers have since asked users to revoke wallet permissions connected to its website. They claim to be analyzing the exploit of the protocol.