BingX Insights

Get the latest blockchain news on BingX.

zkSync DEX Merlin Exploited for Over $1.8M After Code Audit

AA News - Mandy Williams 2023-04-27 02:30

Ethereum-based decentralized exchange (DEX) Merlin, which uses zero-knowledge sync (zkSync), has lost more than $1.8 million in a liquidity pool exploit hours after smart contract security firm CertiK audited its code.

The hack occurred on Wednesday morning during the public sale of Merlin’s native token, MAGE, with the attacker siphoning several assets, including USD Coin (USDC), Ether (ETH), and other illiquid tokens.

Merlin’s LP Drained After Code Audit

A few hours after the exploit, CertiK tweeted that it was investigating the incident and working to understand its impact on the community. The security firm disclosed that its initial findings suggested that a private key management issue may have led to the hack and not an exploit, as widely believed.

CertiK said it pointed out the centralization risk in the recent audit report for Merlin under the “Decentralization Efforts” section. The firm insisted that while audits could not prevent private key issues, they always ensured to highlight better practices for projects.

As claimed in the audit dated April 24, 2023, CertiK recommended that Merlin improve its centralized roles to a decentralized mechanism like multi-signature wallets to enhance security practices. The firm also asked the protocol to implement a timelock feature with a latency of at least 48 hours to avoid a single point of key management failure. CertiK has also promised to work with appropriate authorities if any foul play is discovered.

“We encourage all community members to review this information and all audits fully. As we navigate this challenging situation, we want to assure you that we are taking all necessary measures to protect our community’s interests,” CertiK said.

Malicious Code Detected

Interestingly, eZKalibur, another zkSync DEX and launchpad, revealed it had identified the malicious code that enabled the hackers to drain Merlin’s funds. The DEX said it found two lines of code in the initialize function that gave the feeTo address approval to transfer an unlimited amount of tokens from the contract’s address.

📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.

These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB

— eZKalibur ∎ (@zkaliburDEX) April 26, 2023

Meanwhile, the Merlin team has asked users to revoke access to the connected site on their wallets as they analyze the cause of the exploit.

The post zkSync DEX Merlin Exploited for Over $1.8M After Code Audit appeared first on CryptoPotato.

Disclaimer: The information on this site does not constitute to any investment advice. The views, thoughts, and opinions expressed belong solely to the user and do not represent those of BingX.

Risk Warning

Cryptocurrencies and their derivatives are innovative financial products with great volatility and high investment risks.

Although BingX is committed to providing users with easy-to-use trading tools, trading itself is still a highly sophisticated field. Trading digital assets and their derivatives are subject to high market risk and price volatility and may result in partial or total loss of account funds. You must carefully consider and exercise clear judgment to evaluate your financial situation and the aforementioned risks before using BingX Services. You shall be responsible for all losses arising therefrom. If necessary, please consult relevant professionals to make informed decisions before investing. By accessing, downloading, using or clicking on "I agree" to accept any BingX Services provided by BingX, you agree that you have read, understood and accepted all of the terms and conditions stipulated in BingX Terms of Use as well as our Privacy Policy.


Trading by copying or replicating the trades of other traders involves a high level of risks, even when copying or replicating the top-performing traders. Past performance of a BingX community member is not a reliable indicator of his future performance. Content on BingX's trading platform is generated by members of its community and does not contain advice or recommendations by or on behalf of BingX.