In a recent incident, the DEX Merlin, a decentralized exchange (DEX) operating on the zkSync layer 2 solutions, was exploited, resulting in a loss of $1.82 million and draining liquidity provider (LP) funds. According to reports, the hackers exploited a vulnerability in the platform’s smart contract, which allowed them to manipulate the LP tokens and drain the funds.
As per the reports, the stolen money in the platform is said to be linked to two wallet addresses which are:
- 0x0b8a3ef6307049aa0ff215720ab1fc885007393d
- 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7
In addition, the cybercriminals typically laundered the stolen funds by transferring them to Ethereum (ETH).
Merlin underwent a CertiK audit recently and kicked off its public sale on April 25th. Unfortunately, within less than 24 hours, hackers targeted the project. The team promptly advised users to revoke their approval of the smart contract and is currently investigating the incident.
It’s worth noting that Merlin received a CertiK audit, a security-focused review of the project’s smart contracts. However, hackers still needed to target the project shortly after its public sale began.
CertiK, a security blockchain firm, has announced that they are investigating the DEX Merlin incident following a hack on the platform. According to the firm’s initial findings, the root cause of the issue may be due to a private key management problem rather than an exploit. Although audits cannot necessarily prevent such private key issues, CertiK aims to emphasize best practices for projects to mitigate potential risks.
CertiK has committed to working with the appropriate authorities and sharing all relevant information if any suspicious activity is discovered. The firm urges individuals to stay tuned for future updates regarding the ongoing investigation.