Key Points:

• The DEX Merlin of zkSync was hacked and over $1.82 million in funds was stolen.
• Certik found that a potential private key management issue could be the root cause of the hack.
• zkaliburDEX’s research on Merlin smart contracts identified a malicious code that caused the funds to be drained.

zkSync, a Layer 2 scaling solution for Ethereum, has experienced a significant setback as its DEX Merlin was hacked. The hacker has stolen over $1.82 million in funds, and the LP has been drained.

According to the founder of OxScope, 0xBobie, the stolen funds have been identified to be in two wallets:

• 0x0b8a3ef6307049aa0ff215720ab1fc885007393d
• 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7

The potential hacker bridged all the stolen funds to Ethereum.

According to Wu, officials had stated the launch of the Core Farming Pools and public sale was delayed until the Audit by Certik was completed to provide reassurance to potential investors. However, shortly after the audit was completed and Merlin began the public sale, unfortunate events took place as the sale was stolen by an unknown perpetrator.

The founder of Certik recently gave an interview with Chinese media, where he expressed pride in Certik’s accomplishments. According to him, Certik has made significant strides in blockchain security and has achieved a 70% share of the crypto security market. Additionally, he claimed that Certik had reduced the cost of Web3 security audits by over 90%.

In response to the issue, Certik found that there may be a problem with the management of private keys rather than an exploit being the root cause.

Initial findings point to a potential private key management issue rather than an exploit as the root-cause. While audits cannot prevent private key issues, we always highlight best practices to projects.

Certik responsed

According to zkaliburDEX‘s research on Merlin smart contracts, they have identified a malicious code that caused the funds to be drained. The initialize function’s two lines of code grant approval for the feeTo address to transfer an unlimited amount of token0 and token1 from the contract’s address, which could potentially be used to transfer tokens from the contract’s address to itself.

Additionally, redragonvn reported a “backdoor” code in the Merlin code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, posing a clear security risk as there is no use case that requires its approval.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Thana

Coincu News

DEX Merlin

Merlin

Zksync

zkSync 2.0

Author

Thana

I am a news editor at Coincu, where I produce daily editorial packages and manage the knowledge and review article sections. Before journalism, I earned a Bachelor's degree in Global Logistics and Supply Chain Management from Northampton University and studied news journalism at Press Association Training.

Related Posts

• Matter Labs Workforce Reduction Happens for the First Time Since 2018
• ZKsync Mainnet Governance Launches With Onchain Contracts
• Treasure DAO Proposal Released for Layer 2 Migration

Scam Alert

BREAKING: zkSync DEX Merlin Hacked, $1.82 Million In Stolen Funds

Key Points:

• The DEX Merlin of zkSync was hacked and over $1.82 million in funds was stolen.
• Certik found that a potential private key management issue could be the root cause of the hack.
• zkaliburDEX’s research on Merlin smart contracts identified a malicious code that caused the funds to be drained.

zkSync, a Layer 2 scaling solution for Ethereum, has experienced a significant setback as its DEX Merlin was hacked. The hacker has stolen over $1.82 million in funds, and the LP has been drained.

According to the founder of OxScope, 0xBobie, the stolen funds have been identified to be in two wallets:

• 0x0b8a3ef6307049aa0ff215720ab1fc885007393d
• 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7

The potential hacker bridged all the stolen funds to Ethereum.

Stolen funds ($1,823,477) are in
1, 0x0b8a3ef6307049aa0ff215720ab1fc885007393d
2, 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7

The potential hacker bridged all of them to Ethereum. https://t.co/ADDnuhNjVI pic.twitter.com/26zbt9AG9M

— Bobie (@0xBobie) April 26, 2023

According to Wu, officials had stated the launch of the Core Farming Pools and public sale was delayed until the Audit by Certik was completed to provide reassurance to potential investors. However, shortly after the audit was completed and Merlin began the public sale, unfortunate events took place as the sale was stolen by an unknown perpetrator.

Officials said the Core Farming Pools and public sale will only be launched after Audit is completed by Certik in order to reassure investors. Just after Certik completed the audit and Merlin started the public sale, it was stolen. https://t.co/HF5r8bauaphttps://t.co/56kWGoptog

— Wu Blockchain (@WuBlockchain) April 26, 2023

The founder of Certik recently gave an interview with Chinese media, where he expressed pride in Certik’s accomplishments. According to him, Certik has made significant strides in blockchain security and has achieved a 70% share of the crypto security market. Additionally, he claimed that Certik had reduced the cost of Web3 security audits by over 90%.

In response to the issue, Certik found that there may be a problem with the management of private keys rather than an exploit being the root cause.

Initial findings point to a potential private key management issue rather than an exploit as the root-cause. While audits cannot prevent private key issues, we always highlight best practices to projects.

Certik responsed

According to zkaliburDEX‘s research on Merlin smart contracts, they have identified a malicious code that caused the funds to be drained. The initialize function’s two lines of code grant approval for the feeTo address to transfer an unlimited amount of token0 and token1 from the contract’s address, which could potentially be used to transfer tokens from the contract’s address to itself.

Additionally, redragonvn reported a “backdoor” code in the Merlin code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, posing a clear security risk as there is no use case that requires its approval.

3/4 However, in the Merlin code, there is a "backdoor" code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, in addition to the fee in the swap function. This backdoor is a clear security risk as there is no use case that requires its approval. pic.twitter.com/HAnwZT27ZS

— Thanh Nguyen (@redragonvn) April 26, 2023

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Thana

Coincu News

Visited 160 times, 1 visit(s) today

Other Posts

Related Posts

Casino Reviews

- 375 days ago 49 mins

Top Bitcoin Casino Sites In 2024

Gambling

- 346 days ago 10 mins

Best Bitcoin Blackjack Casinos In 2024

Casino Reviews

- 335 days ago 16 mins

Best Tether Casino Sites With USDT Bonuses 2024

Uncategorized

- 501 days ago 11 mins

Top 5 Gambling Projects Will Offer You The Most Attractive Benefits 

Press Releases

- 64 days ago 3 mins

PlayDoge ICO Raises $5.7 Million: Analyzing Why Investors Are Taking Notice

Knowledge

- 257 days ago 9 mins

How To Close Crypto.com Account: Detailed Guideline!

Knowledge

- 252 days ago 12 mins

Crypto To Crypto Converter: Detailed Guide For Beginners And Important Notes

Crypto Millionaire

- 158 days ago 13 mins

Akon Net Worth: How Rich Is He? (Updated 2024)