CertiK-audited DEX Merlin Exploited For $1.8m

Merlin, an Ethereum-based decentralized exchange (DEX) utilizing zkSync layer-2 protocol, suffered an exploit in which roughly $1.8 million in funds were lost.

This occurred despite having received an audit from smart-contract auditor CertiK. Since the disclosure, the Merlin team has advised users to revoke wallet permissions connected to its site and has announced that it is currently analyzing possible methodologies for the exploit.

Developer announcement

Can everyone revoke connected site access on your wallets/sign permission https://t.co/YRxH7IUU4T

We are analysing the exploit of our protocol and would stress that everyone carries out this step as a precaution.

More updates will be provided

— Merlin (@TheMerlinDEX) April 26, 2023

CertiK, the firm which issued the audit, claimed in its preliminary investigation that the incident may have originated from a private key management issue, rather than an exploit. The firm highlighted the “centralization risk” in its audit while also emphasizing that audits, on their own, are not designed to prevent private key issues. CertiK has assured that it will share relevant information with authorities if foul play can be suspected, or if insider information was possibly leaked.

Blockchain security firm Peckshield has also issued disclosures on the threat actor, who has started moving some of the stolen funds to exchanges, with $133,800 USDC sent to MEXC Global and $31,000 USDC sent to Binance.

CertiK is a prominent brand in the blockchain security industry, and yet despite its defense on the matter, others have questioned the validity of the audit. eZKalibur, another zkSync DEX, claims to have identified the malicious code responsible for the fund drainage and raised questions on the quality of CertiK’s audit.

According to eZKalibur, the problematic code lies within the initialize function, where two lines of code grant approval for the feeTo address to transfer an unlimited amount (type(uint256).max) of token0 and token1 from the contract’s address. In this case, the feeTo address could potentially call the transferFrom function on the respective tokens, allowing the transfer of tokens from the contract’s address to itself.

This finding raises questions about the thoroughness of CertiK’s audit, as the risk of a rug pull, which is a significant concern, was not explicitly highlighted in the reporrt.

eZKalibur argues that this issue should have been marked as “major” or even “critical” rather than a simple decentralization concern. In the absence of a timelock, such a vulnerability could lead to the immediate draining of all deposited funds, which is what transpired in the Merlin DEX exploit.

We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.

These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB

— eZKalibur ∎ (@zkaliburDEX) April 26, 2023

As the debate over the auditing process and centralization risks continues, blockchain data indicates that two addresses were responsible for the exploit. An address starting with 0x2744 took $850,000 USDC and bridged it to Ethereum, while another address, 0x2744d62, stole $844,000 USDC.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.