QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$1 800 000 USD
APRIL 2023
GLOBAL
MERLIN DEX
DESCRIPTION OF EVENTS
"Merlin is an immutable, permissionless, community-focused DEX based on ZkSync."
"Merlin is based on a dual AMM capable of supporting both volatile (UniV2) and stable (Curve-like) exchanges while minimizing fees and maximizing speed and dependability."
"In addition, we’re introducing dynamic directional fees for our trading pairs: this allows for various fees to be set for each pool, as well as different fees based on the swap direction (buying/selling)."
"These innovative AMM features enable us to offer pool configurations that are significantly more specialized and tailored to the particular trading pairs."
"Earnings from the protocol, initially derived primarily from swap fees, will be partially redistributed to stMAGE users in the form of real yield and used to maintain a continuous buying pressure on MAGE."
"Merlin had passed its second audit by Certik just two days before the attack."
"We advise the client to carefully manage the privileged account's private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multisignature wallets."
"However, this issue was marked as ‘Resolved’ by Certik, who stated that the Merlin team had promised to use a multisig. Enough users apparently didn’t read the audit fully, or simply didn’t care about the implications of trusting the project."
"$1.8M disappeared in a puff of smoke as Merlin pulled the classic DeFi magic trick."
"Merlin, a DEX native to the recently-launched zksync L2, was in the middle of a 3-day “Liquidity Generation Event” as part of its token (MAGE) launch."
"The alarm was initially raised by a community member before Peckshield spread the message. Merlin then acknowledged the incident, advising users to revoke permissions as a precaution."
"The rug mechanism was a straightforward case of draining the liquidity pools into which users were depositing as part of the MAGE token sale."
"This was made possible via max approvals granted to the Feeto address upon deployment of the pools. The individual/s in control of the Feeto address could then drain the pool of all assets, which were then bridged to ETH."
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
Merlin is a decentralized exchange (DEX) based on ZkSync and designed to support both volatile and stable exchanges with minimal fees and fast speed. The platform introduces dynamic directional fees that allow for various fees to be set for each pool and different fees based on the swap direction. Earnings from the protocol will be partially redistributed to stMAGE users and used to maintain a continuous buying pressure on MAGE. However, despite passing its second audit by Certik, Merlin suffered a rug pull during its Liquidity Generation Event, resulting in the loss of $1.8 million. The incident was caused by max approvals granted to the Feeto address upon deployment of the pools, which allowed the individuals in control to drain the pool of all assets and bridge them to ETH. Merlin's post-mortem places the blame on the back-end development team, and the rugged funds were bridged back to Ethereum, swapped for ETH, and transferred to other addresses.
HOW COULD THIS HAVE BEEN PREVENTED?
Reliance on a single firm for auditing, and audit being done before the multi-sig was actually set up.
Rekt - Merlin DEX - REKT (May 3)
Mage.Exchange | MerlinDEX (May 3)
Merlin A Zksync Dex Liquidity Lodger (May 3)
zkSync Era Block Explorer (May 3)
zkSync Era Block Explorer (May 3)
zkSync Era Block Explorer (May 3)
@TheMerlinDEX Twitter (May 3)
@PeckShieldAlert Twitter (May 3)
@BeosinAlert Twitter (May 3)
@wasgiventhatday Twitter (May 3)
https://medium.com/@nelsonblue41/introduction-to-merlin-d489a40cf4d6 (Nov 30)
