The DEX Merlin hack occurred despite a positive assessment from leading Certik specialists who analyze the code of blockchain projects.
On the morning of April 26, hackers withdrew about $850,000 worth of USD Coin Stablecoins (USDC) from Merlin. As well as several other relatively illiquid tokens. The data in the blockchain shows that a certain entity was able to withdraw the funds. Who controlled the exchange’s liquidity pool. This may suggest that the attack was not technically sophisticated. And the theft itself may have been the work of an insider of this project.
The attack occurred despite the fact that Merlin was audited by Certik. Which is the market leader in auditing the software code of blockchain projects. The service’s conclusion from the Merlin audit stated that there were “no critical bugs” in the exchange’s code.
Certik representatives wrote on social media that they are investigating the incident. Their initial findings point to a potential problem with the management of the project’s private cryptographic keys giving access to funds. “An audit can’t completely prevent problems with keys. But we always call projects’ attention to best practices,” Certik said.
Merlin developers have asked users to revoke the permissions of wallets connected to its site. They say they are analyzing a possible vulnerability in the protocol.
Matter Labs is behind the development of the zkSync “second-tier” blockchain. In November 2022, it led several investment rounds totaling $258 million with LightSpeed, Andreessen Horowitz. And major crypto venture capital firms Blockchain Capital and Dragonfly.
Our experts note that Merlin is considered a potential candidate for token distribution in the form of an airdrop for activity in its ecosystem projects, which include the hacked Merlin platform.