A new one has been added to the hacker attacks in recent days. Merlin, a decentralized exchange using zkSync, appears to have been hacked for over $1.82 million just after it received a code audit from smart contract inspector Certik.
Decentralized Exchange Merlin Hacker Attacked
zkSync DEX Merlin reportedly suffered a $1.82 million hacker attack right after the code audit.
Certik tweeted that he was investigating the incident and that his initial findings pointed to a potential issue with private key management, not a code breach.
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.
While audits cannot prevent private key issues, we always highlight best practices to projects.
Should any foul…
— CertiK (@CertiK) April 26, 2023
“Although audits cannot prevent private key issues, we always recommend best practices to projects,” Certik said. "If any bugs are detected, we will work with the relevant authorities and share relevant information. Stay tuned for updates."
Meanwhile, eZKalibur, a zkSync decentralized exchange and launchpad that, like Merlin, forks part of DEX Camelot's contract, claims to have detected the malicious code responsible for draining funds.
When questioning the quality of Certik's audit, he explained, "These two lines of code in the initialization function allow feeTo to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract's address".
"In this case, the feeTo address can call the transferFrom function on the respective tokens to transfer the tokens from the contract address to it."
If such a finding is not "critical", it should at least be reported as "significant". eZKalibur said:
"It can't be seen as a stealth and simple decentralization issue. Because without a time lock, it can lead to an instant draining of all the funds invested in the protocol, which is exactly what happens."
Merlin developers have since asked users to revoke their website-linked wallet permissions. They stated that they analyzed the protocol being hacked.
*Not investment advice.