Newly launched decentralized exchange Merlin was drained of around $1.82 million from its liquidity pool on Wednesday, with auditor CertiK—who completed an audit of the DEX just before its launch—blaming "rogue developers" for the hack.

In a post on Twitter, the auditor said that, "Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down," and urged them to accept a 20% white hat bounty. Merlin itself accused "several members of the Back-End team" of draining its contracts in a Twitter post.

In a statement sent to Decrypt, CertiK said that it was working with "the remaining Merlin team" on a victim aid fund for affected users. Merlin has yet to respond to Decrypt’s requests for comment.

Built on zkSync, an Ethereum layer-2 scaling solution, Merlin only launched a few days ago with the public sale of its MAGE token. Immediately before its launch, Merlin also received a code audit from smart contract security firm CertiK—a step that many crypto businesses consider essential in ensuring the safety of users' assets and maintaining the trust of customers.


According to CertiK, which said it is “actively investigating” the Merlin incident, “initial findings point to a potential private key management issue rather than an exploit as the root-cause.”

“While audits cannot prevent private key issues, we always highlight best practices to projects. Should any foul play be discovered, we will work with the appropriate authorities and share relevant info,” CertiK said in a Twitter thread, adding that it has highlighted Merlin’s centralization risk in its audit report.

Merlin responded to the incident shortly after in a “developer announcement,” asking users to “revoke connected site access on their wallets” as a precaution.


The DEX said that it is analyzing what has happened and that “more updates will be provided.”

Centralization issues

Blockchain security experts pointed to "major centralization issues" on the Merlin DEX's smart contracts.

"Though we’re still early in this whole story, there are indications that there were major centralization issues on the Merlin DEX smart contracts," Gonçalo Magalhães, smart contract engineer at bug bounty platform Immunefi, told Decrypt. "Specifically, the address receiving pool fees was allowed to drain all funds from every pool in the protocol."

In a tweet, another zkSync-based DEX, eZKalibur, claimed to have identified “the malicious code responsible for the draining of funds” in Merlin's smart contracts.

According to Immunefi’s Magalhães, while CertiK highlighted some centralization concerns in their audit, "There’s no mention of this specific point, where the fee recipient address has full approval to withdraw every token from the pools—which is actually a crucial singular point of failure.”

“If this was indeed the case of a private key compromise, then it would certainly not be the first,” said Magalhães, calling proper key management of privileged addresses on a protocol a "critical matter." He added that mitigations such as multisig wallets are beneficial, but that "having full fund transfer approval on a single account makes this private key a juicy target for blackhat hackers."


Andy Zhou, CEO at audit platform BlockSec, went a step further, arguing that while smart contract audits are helpful for locating vulnerabilities and protecting users’ assets in the protocol, "one aspect that is usually ignored is what if the protocol itself is malicious," such as having the intention to "rugpull users."

On Twitter, Zhou compared Merlin to a bank pre-authorizing that its owner can arbitrarily withdraw all customer money.

“If you know this, will you still deposit your tokens into the bank?” asked the BlockSec CEO.

Magalhães agreed that the unlimited fee recipient approval was “something not at all needed for the logic of the protocol,” telling Decrypt that “we would expect an audit to have flagged this as concerning.”

“This is another reason why having more than one external party auditing your code is important. What was missed by one firm, might be flagged by another one," said Magalhães.

In its statement to Decrypt, CertiK noted that "while audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls," and encouraged users to look for projects that have performed a voluntary KYC vetting process. The auditor also stressed that "private key privileges are outside the scope of a smart contract audit," but that it remained committed to assisting impacted users and hunting down those responsible for what it described as an "exit scam."

Editor's note: This article was updated after publication following a revised statement from Certik indicating that ZKSync is not involved in its compensation plan for victims.


Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.