Decentralized exchange Merlin on Zksync, fraudulent outflow of about 250 million yen

Merlin unauthorized exfiltration

It was revealed on the 26th that decentralized exchange Merlin was hacked and over 250 million yen ($1.82 million) of funds were stolen. Merlin is one of the protocols on the L2 project “zkSync” of the crypto asset (virtual currency) Ethereum (ETH).

Liquidity pools (LPs), which lock up funds in smart contracts, were targeted. Hackers allegedly bridged all stolen funds from LPs onto the Ethereum chain.

#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited. One of the exploiters 0x2744…9b7 has grabbed ~850K $USDC and bridged them to #Ethereum https://t.co/hfgjJJY7Ml pic.twitter.com/07uSGMAt7e

— PeckShieldAlert (@PeckShieldAlert) April 26, 2023

Merlin just started a public sale of its own token MAGE at 00:00 on the 26th (Japan time). As a “Liquidity Generating Event (LGE),” Merlin planned to get ETH liquidity contributions from participants and allocate MAGE. Investors who participated in this public sale were provided with the benefit of a bonus airdrop of “Escrow Token (stMAGE)”, which received project dividends.

Also, in blogs on the 15th and 25th, the project team emphasized that security is a top priority and all smart contracts are fully audited by security company Certik before going on sale.

According to OxScope founder 0xBobie, the stolen funds were found in two wallets (a,b). Blockchain security firm PeckShield has confirmed that one account, 0x2744…9b7, has bridged approximately $850,000 worth of his USDCoin (USDC) to the Ethereum (ETH) chain. there is

connection:Ethereum L2 “zkSync” to recover ETH of about 230 million yen trapped

Post-audit hack

from Merlin second in command, no response to last text even now, founder Prospero is MIA

there goes a lot of money for me and many other people

thank God I passed on seed, literally voice noted the founder telling him not to be an idiot and switch up the terms https://t.co/EgRZc0AIiU pic.twitter.com/PSDCa1TmSP

— Zen (@xen) April 26, 2023

On Twitter, there is widespread speculation that the Merlin incident was a “rag pull.” One user claims that Merlin granted unrestricted authorization (type(uint256).max) to the attacker’s address based on a smart contract, causing the problem of illegally withdrawing funds from the pool. there is

Xen also posted a picture of Merlin and ZkSync’s Telegram group conversation (in which he was involved in an advisory role). Since the Merlin project team does not understand these mechanisms and appears to be confused by the unauthorized outflow, we speculated that it was a single action by the founder.

Certik released the results of Merlin’s audit on the 24th. It notes a major risk that “under certain circumstances may result in the loss of funds or control of the project,” but the status is “Resolved.” It’s unclear if it detected abuse of “unrestricted approvals,” but the post-audit hacking incident has raised suspicions among the cryptocurrency community. According to an interview with Certik CEO Gu Ronghui published on the 26th, the company has a 70% share of the cryptocurrency security market.

connection:DeFi’s 1inch, Deploy Protocol on Ethereum L2 ‘zkSync Era’

The post Decentralized exchange Merlin on Zksync, fraudulent outflow of about 250 million yen appeared first on Our Bitcoin News.