May 5 (Cointime) - Blockchain cybersecurity firm, CertiK, has provided an update on the Merlin DEX incident that occurred on April 25th. The incident involved an internal rugpull by Merlin insiders, who took $1.8M of their users' funds by abusing the owner wallet's privileges.
Last week, Cointime reported that Merlin, the DEX built on ZkSync, has experienced a liquidity drain. Merlin had recently undergone a CertiK audit and launched a public sale on April 24.
So far, $160K of the stolen funds have been frozen with the help of partners, and the company will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
According to the tweet thread, CertiK initially tried to collaborate with the remaining members of the Merlin team to aid victims, but encountered difficulties due to several core members' unwillingness to verify their true identities. As a result, CertiK is now focusing on working with law enforcement and has submitted information to relevant US and UK agencies. The firm is also exploring all possibilities to fight exit scams with the $2M they have committed.
CertiK has admitted that although the centralization risks were called out in the report, the impact of these findings was not made clear enough. The firm stated:
"The centralized privileges should have been distinctly highlighted so users were aware of the risks. Going forward, CertiK will prioritize centralization risks in audit summaries to ensure users have a complete picture of potential risks."
This was an internal rugpull. Merlin insiders abused the owner wallet’s privileges. We initially tried to collaborate with the remaining members of the Merlin team but a number of core members were unwilling to verify their true identities.
— CertiK (@CertiK) May 4, 2023
Read the full thread:
This lack of cooperation has complicated our efforts to validate and aid victims. We are focusing on working with law enforcement and have submitted information to relevant US & UK agencies.
We are exploring all possibilities to fight exit scams with the $2M we’ve committed.
We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
Although the centralization risks were called out in the report, we didn’t make the impact of these findings as clear as they needed to be.
The centralized privileges should have been distinctly highlighted so users were aware of the risks.
Going forward, CertiK will prioritize centralization risks in audit summaries to ensure users have a complete picture of potential risks.
We recognize that audit reports can be highly technical documents, and it’s our job to communicate the risks clearly and transparently.
To clarify: the $2 million we have pledged will be used to fight exit scams as well as help scam victims
All Comments