BREAKING: zkSync DEX Merlin Hacked, $1.82 Million In Stolen Funds
- The DEX Merlin of zkSync was hacked and over $1.82 million in funds was stolen.
- Certik found that a potential private key management issue could be the root cause of the hack.
- zkaliburDEX’s research on Merlin smart contracts identified a malicious code that caused the funds to be drained.
zkSync, a Layer 2 scaling solution for Ethereum, has experienced a significant setback as its DEX Merlin was hacked. The hacker has stolen over $1.82 million in funds, and the LP has been drained.
According to the founder of OxScope, 0xBobie, the stolen funds have been identified to be in two wallets:
The potential hacker bridged all the stolen funds to Ethereum.
According to Wu, officials had stated the launch of the Core Farming Pools and public sale was delayed until the Audit by Certik was completed to provide reassurance to potential investors. However, shortly after the audit was completed and Merlin began the public sale, unfortunate events took place as the sale was stolen by an unknown perpetrator.
The founder of Certik recently gave an interview with Chinese media, where he expressed pride in Certik’s accomplishments. According to him, Certik has made significant strides in blockchain security and has achieved a 70% share of the crypto security market. Additionally, he claimed that Certik had reduced the cost of Web3 security audits by over 90%.
In response to the issue, Certik found that there may be a problem with the management of private keys rather than an exploit being the root cause.
Initial findings point to a potential private key management issue rather than an exploit as the root-cause. While audits cannot prevent private key issues, we always highlight best practices to projects.Certik responsed
According to zkaliburDEX‘s research on Merlin smart contracts, they have identified a malicious code that caused the funds to be drained. The initialize function’s two lines of code grant approval for the feeTo address to transfer an unlimited amount of token0 and token1 from the contract’s address, which could potentially be used to transfer tokens from the contract’s address to itself.
Additionally, redragonvn reported a “backdoor” code in the Merlin code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, posing a clear security risk as there is no use case that requires its approval.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join us to keep track of news: https://linktr.ee/coincu