en
Back to the list

CertiK blames zkSync’s MerlinDEX hack on private key management issue 

source-logo  crypto.news 26 April 2023 05:14, UTC

CertiK has attributed the over $1.82 million loss suffered by zkSync-based decentralized exchange, MerlinDEX, to a private key management issue rather than an exploit by bad actors. CertiK conducted an audit on MerlinDEX’s smart contracts before the incident.

MerlinDEX, a zkSync-based platform is the latest decentralized finance protocol to lose the funds in its liquidity pool. The decentralized exchange (DEX) lost over $1.82 million during the early hours of April 26.

You might also like: Hacker is now the largest holder of Curve DAO’s CRV token

So far, there have been conflicting reports concerning the exact cause of the asset loss, with the blockchain security firm, CertiK, which recently audited the project’s code, claiming that its initial investigations have revealed that the attack was due to a private key management issue rather than an exploit.

We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.

While audits cannot prevent private key issues, we always highlight best practices to projects.

Should any foul…

— CertiK (@CertiK) April 26, 2023

However, eZKalibur, another zkSync-based decentralized exchange project, claims to have researched the MerlinDEX smart contracts and identified the loophole that enabled the heist.

📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.

These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB

— eZKalibur ∎ (@zkaliburDEX) April 26, 2023

#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited. One of the exploiters 0x2744…9b7 has grabbed ~850K $USDC and bridged them to #Ethereum https://t.co/hfgjJJY7Ml pic.twitter.com/07uSGMAt7e

— PeckShieldAlert (@PeckShieldAlert) April 26, 2023

While the DeFi ecosystem saw an increased TVL (total value locked) during the first quarter of the year, hacks and rug pulls continue to plague the industry with no permanent solution.

According to CertiK, bad actors drained more than $320 million from the crypto space during the first quarter of this year alone. With the current situation, that amount could surpass the over $3 billion stolen last year by the end of 2023.

Read more: MetaMask denies wallet exploit allegations in $10.5m crypto hack
crypto.news