{"id":77852,"date":"2023-04-26T11:03:25","date_gmt":"2023-04-26T08:03:25","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=77852"},"modified":"2025-09-11T01:37:21","modified_gmt":"2025-09-10T22:37:21","slug":"merlin-on-zksync-era-hacked-for-1-82-million-after-certik-audit","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/merlin-on-zksync-era-hacked-for-1-82-million-after-certik-audit\/","title":{"rendered":"Merlin on zkSync Era hacked for $1.82 million after CertiK audit"},"content":{"rendered":"<p>Decentralised exchange Merlin, built on <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-a-layer%e2%80%912-solution-in-blockchain\">layer-2 solution<\/a> zkSync Era, lost assets worth about $1.82 million in what appears to be an exploit, shortly after CertiK&#8217;s audit.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">? URGENT: <a href=\"https:\/\/twitter.com\/TheMerlinDEX?ref_src=twsrc%5Etfw\">@TheMerlinDEX<\/a> has been HACKED! ?<\/p>\n<p>Over $1.82M stolen from investors as LP drains. If you&#8217;ve interacted with their contracts, revoke your wallet IMMEDIATELY! \u26a0\ufe0f<\/p>\n<p>Revoke here ? <a href=\"https:\/\/t.co\/SdEInOVqZp\">https:\/\/t.co\/SdEInOVqZp<\/a><\/p>\n<p>Help warn others \u2014 RETWEET this vital info! ? <a href=\"https:\/\/t.co\/1UB40UCDxl\">pic.twitter.com\/1UB40UCDxl<\/a><\/p>\n<p>\u2014 Documenting zkSync ? (@DocumentzkSync) <a href=\"https:\/\/twitter.com\/DocumentzkSync\/status\/1651091232163258368?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The exchange&#8217;s developers said they were investigating a possible breach and urged users to revoke approvals for all smart contracts. They promised to provide further information later.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Developer announcement ? <\/p>\n<p>Can everyone revoke connected site access on your wallets\/sign permission <a href=\"https:\/\/t.co\/YRxH7IUU4T\">https:\/\/t.co\/YRxH7IUU4T<\/a><\/p>\n<p>We are analysing the exploit of our protocol and would stress that everyone carries out this step as a precaution.<\/p>\n<p>More updates will be provided<\/p>\n<p>\u2014 Merlin (@TheMerlinDEX) <a href=\"https:\/\/twitter.com\/TheMerlinDEX\/status\/1651090982274752513?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>The incident occurred immediately after the platform&#8217;s main yield-farming pools were launched. On April 24, CertiK completed a renewed security audit of Merlin&#8217;s codebase.<\/p>\n<p>Experts from CertiK stated that the preliminary investigation pointed to a potential private-key management issue as the main cause of the unauthorized withdrawal, rather than an exploit.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">We\u2019re actively investigating the <a href=\"https:\/\/twitter.com\/TheMerlinDEX?ref_src=twsrc%5Etfw\">@TheMerlinDEX<\/a> incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.<\/p>\n<p>While audits cannot prevent private key issues, we always highlight best practices to projects.<\/p>\n<p>Should any foul\u2026<\/p>\n<p>\u2014 CertiK (@CertiK) <a href=\"https:\/\/twitter.com\/CertiK\/status\/1651088669187473408?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abWhile audits cannot prevent key-management problems, we always highlight best practices for projects. In the event of any misconduct, we will work with the relevant authorities and share information,\u00bb CertiK said.<\/p>\n<\/blockquote>\n<p>The DEX team eZKalibur reportedly identified malicious code in Merlin&#8217;s software that enabled the theft of assets. The exchanges use smart-contract code similar to that of another decentralized platform on the zkSync Era network \u2014 Camelot.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">? We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.<\/p>\n<p>These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)\u2026 <a href=\"https:\/\/t.co\/mIksh4HkhB\">pic.twitter.com\/mIksh4HkhB<\/a><\/p>\n<p>\u2014 eZKalibur \u220e (@zkaliburDEX) <a href=\"https:\/\/twitter.com\/zkaliburDEX\/status\/1651087592052359169?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Unlike rivals, Merlin&#8217;s contract implementation includes two lines that enable the withdrawal of an unlimited quantity of tokens to the deployer&#8217;s own address.<\/p>\n<p>The findings from eZKalibur were echoed by developers of other projects. Users suspected Merlin&#8217;s team of carrying out a rug-pull <span data-descr=\"the project developers suddenly abandon the project and sell or remove all its liquidity\" class=\"old_tooltip\">rug-pull<\/span>.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">btw Merlin is a 100% rug, <br \/>It approves uint256 max to feesto address (deployer) which let it get drained<\/p>\n<p>LP tokens can be withdrawn but liq can&#8217;t be removed for the same reason, there are no funds left in the pool<\/p>\n<p>Source: <a href=\"https:\/\/twitter.com\/overnight_fi?ref_src=twsrc%5Etfw\">@overnight_fi<\/a> team member <a href=\"https:\/\/t.co\/QyZJZwCrPx\">pic.twitter.com\/QyZJZwCrPx<\/a><\/p>\n<p>\u2014 yieldfarming (@delucinator) <a href=\"https:\/\/twitter.com\/delucinator\/status\/1651078812564692994?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Commentators also questioned the quality of CertiK&#8217;s audit.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">100% RUG ?, Their contract approves the tokens to the deployer. Bizarrely, <a href=\"https:\/\/twitter.com\/CertiK?ref_src=twsrc%5Etfw\">@CertiK<\/a> &#8216;s audit has no hints <a href=\"https:\/\/t.co\/WCtdT2p2ib\">pic.twitter.com\/WCtdT2p2ib<\/a><\/p>\n<p>\u2014 ConnorRepeat ? (@ConnorRepeat) <a href=\"https:\/\/twitter.com\/ConnorRepeat\/status\/1651080706427334656?ref_src=twsrc%5Etfw\">April 26, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Earlier this April, the DeFi protocol Terraport Finance on the Terra Classic network was hacked for $2 million <a href=\"https:\/\/u1f987.com\/en\/news\/terraport-finance-defi-protocol-hacked-ten-days-after-launch\">ten days after its official launch<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Decentralised exchange Merlin, built on zkSync Era layer-2 solution, lost assets worth about $1.82 million following CertiK&#8217;s audit.<\/p>\n","protected":false},"author":1,"featured_media":77853,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1093],"class_list":["post-77852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"15","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/77852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=77852"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/77852\/revisions"}],"predecessor-version":[{"id":77854,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/77852\/revisions\/77854"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/77853"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=77852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=77852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=77852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}