Merlin DEX Liquidity Pool Drained: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Initial 30 minutes. Still a lot to go.)
(Another 30 minutes.)
Line 1: Line 1:
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/merlindexliquiditypooldrained.php}}
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/merlindexliquiditypooldrained.php}}[[File:Merlindex.jpg|thumb|Merlin DEX]]Merlin is a decentralized exchange (DEX) based on ZkSync and designed to support both volatile and stable exchanges with minimal fees and fast speed. The platform introduces dynamic directional fees that allow for various fees to be set for each pool and different fees based on the swap direction. Earnings from the protocol will be partially redistributed to stMAGE users and used to maintain a continuous buying pressure on MAGE. However, despite passing its second audit by Certik, Merlin suffered a rug pull during its Liquidity Generation Event, resulting in the loss of $1.8 million. The incident was caused by max approvals granted to the Feeto address upon deployment of the pools, which allowed the individuals in control to drain the pool of all assets and bridge them to ETH. Merlin's post-mortem places the blame on the back-end development team, and the rugged funds were bridged back to Ethereum, swapped for ETH, and transferred to other addresses.
{{Unattributed Sources}}
 
[[File:Merlindex.jpg|thumb|Merlin DEX]]Merlin is a decentralized exchange (DEX) based on ZkSync and designed to support both volatile and stable exchanges with minimal fees and fast speed. The platform introduces dynamic directional fees that allow for various fees to be set for each pool and different fees based on the swap direction. Earnings from the protocol will be partially redistributed to stMAGE users and used to maintain a continuous buying pressure on MAGE. However, despite passing its second audit by Certik, Merlin suffered a rug pull during its Liquidity Generation Event, resulting in the loss of $1.8 million. The incident was caused by max approvals granted to the Feeto address upon deployment of the pools, which allowed the individuals in control to drain the pool of all assets and bridge them to ETH. Merlin's post-mortem places the blame on the back-end development team, and the rugged funds were bridged back to Ethereum, swapped for ETH, and transferred to other addresses.
 
This is a global/international case not involving a specific country.<ref name="rektnews-10738" /><ref name="mage-10739" /><ref name="zksyncexplorer-10741" /><ref name="zksyncexplorer-10742" /><ref name="zksyncexplorer-10743" /><ref name="themerlindextwitter-10744" /><ref name="peckshieldalerttwitter-10745" /><ref name="beosinalerttwitter-10746" />


== About Merlin DEX ==
== About Merlin DEX ==
Merlin is a community-focused decentralized exchange (DEX) built on zkSync, a protocol for scalable and secure Ethereum transactions. The platform is designed to offer unique liquidity features, including an innovative yield strategy based on non-fungible staked positions that enhances capital efficiency. Merlin will use two tokens: MAGE, a liquid emission token, and stMAGE, an escrowed governance token that cannot be transferred, to incentivize participants in the ecosystem. Earnings from the protocol will be partially redistributed to stMAGE users in the form of yield and used to maintain a continuous buying pressure on MAGE. stMAGE will be allocated to special contracts known as Plugins, providing additional functionality to the protocol. The platform will have a dynamic automated market maker (AMM) capable of supporting both volatile and stable exchanges with various fees set for each pool and different fees based on the swap direction. Merlin aims to become a liquidity beacon in the zkSync ecosystem by surpassing existing DEX offerings and supporting new protocols launching on zkSync<ref name="merlindexmedium-10740" />.
Merlin is a community-focused decentralized exchange (DEX) built on zkSync, a protocol for scalable and secure Ethereum transactions. The platform is designed to offer unique liquidity features, including an innovative yield strategy based on non-fungible staked positions that enhances capital efficiency. Merlin will use two tokens: MAGE, a liquid emission token, and stMAGE, an escrowed governance token that cannot be transferred, to incentivize participants in the ecosystem. Earnings from the protocol will be partially redistributed to stMAGE users in the form of yield and used to maintain a continuous buying pressure on MAGE. stMAGE will be allocated to special contracts known as Plugins, providing additional functionality to the protocol. The platform will have a dynamic automated market maker (AMM) capable of supporting both volatile and stable exchanges with various fees set for each pool and different fees based on the swap direction. Merlin aims to become a liquidity beacon in the zkSync ecosystem by surpassing existing DEX offerings and supporting new protocols launching on zkSync<ref name="mage-10739" /><ref name="merlindexmedium-10740" />.


"Merlin had passed its second audit by Certik just two days before the attack."
"Merlin had passed its second audit by Certik just two days before the attack."
"$1.8M disappeared in a puff of smoke as Merlin pulled the classic DeFi magic trick."


"Merlin, a DEX native to the recently-launched zksync L2, was in the middle of a 3-day “Liquidity Generation Event” as part of its token (MAGE) launch."
"Merlin, a DEX native to the recently-launched zksync L2, was in the middle of a 3-day “Liquidity Generation Event” as part of its token (MAGE) launch."
"The alarm was initially raised by a community member before Peckshield spread the message. Merlin then acknowledged the incident, advising users to revoke permissions as a precaution."
"The rug mechanism was a straightforward case of draining the liquidity pools into which users were depositing as part of the MAGE token sale."
"This was made possible via max approvals granted to the Feeto address upon deployment of the pools. The individual/s in control of the Feeto address could then drain the pool of all assets, which were then bridged to ETH."
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.
Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.


== The Reality ==
== The Reality ==
Merlin's audit contained the following warning:<blockquote>"We advise the client to carefully manage the privileged account's private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multisignature wallets."</blockquote>However, this issue was marked as ‘Resolved’ by Certik, who stated that the Merlin team had promised to use a multisig. Enough users apparently didn’t read the audit fully, or simply didn’t care about the implications of trusting the project.
Merlin's audit contained the following warning:<blockquote>"We advise the client to carefully manage the privileged account's private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multisignature wallets."</blockquote>However, this issue was marked as ‘Resolved’ by Certik, who stated that the Merlin team had promised to use a multisig. Enough users apparently didn’t read the audit fully, or simply didn’t care about the implications of trusting the project.
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.
== What Happened ==
== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
The Merlin DEX drained their liquidity pool where users were depositing as part of the MAGE token sale<ref name="rektnews-10738" />.
{| class="wikitable"
{| class="wikitable"
|+Key Event Timeline - Merlin DEX Liquidity Pool Drained
|+Key Event Timeline - Merlin DEX Liquidity Pool Drained
Line 66: Line 20:
|April 25th, 2023 5:58:00 PM MDT
|April 25th, 2023 5:58:00 PM MDT
|Liquidity Pool Draining
|Liquidity Pool Draining
|One of the transactions involved in draining the liquidity pool<ref name="zksyncexplorer-10741" /><ref name="zksyncexplorer-10743" />.
|One of the transactions involved in draining the liquidity pool<ref name="zksyncexplorer-10741" /><ref name="zksyncexplorer-10743" />. TBD - figure out what this transaction is:<ref name="zksyncexplorer-10742" />
|-
|-
|April 25th, 2023 7:44:00 PM MDT
|April 25th, 2023 7:44:00 PM MDT
|Exploit Warning on Twitter
|Exploit Warning on Twitter
|An alarm that the liquidity pool had been drained was initially posted on Twitter by Twitter user wasgiventhatday.<ref name="wasgiventhatdaytwitter-10747" />
|An alarm that the liquidity pool had been drained was initially posted on Twitter by Twitter user wasgiventhatday.<ref name="wasgiventhatdaytwitter-10747" />
|-
|April 25th, 2023 10:11:00 PM MDT
|PeckShield Posts On Twitter
|PeckShield posts an alert on Twitter<ref name="peckshieldalerttwitter-10745" />. TBD details.
|-
|April 25th, 2023 11:09:00 PM MDT
|MerlinDEX Acknowledges Incident
|The Merlin DEX acknowledges the exploit on Twitter<ref>[https://twitter.com/TheMerlinDEX/status/1651090982274752513 TheMerlinDEX - "Can everyone revoke connected site access on your wallets/sign permission" - Twitter] (May 8, 2023)</ref>. TBD more details.
|-
|April 26th, 2023 1:21:00 AM MDT
|Beosin Alert on Twitter
|Beosin Alert publishes a warning on Twitter about the exploit<ref name="beosinalerttwitter-10746" />.
|-
|April 26th, 2023 11:47:00 AM MDT
|MerlinDEX Releases Post-Mortem
|The Merlin DEX provides a post-mortem of the exploit on Twitter<ref name="themerlindextwitter-10744" />. They also announce that they have contacted the Serbian authorities<ref name=":0">[https://twitter.com/TheMerlinDEX/status/1651281825816248348 MerlinDEX - We have also notified relevant authorities in Serbia (Region of back-end Team) and work alongside on-chain analysts to monitor the movement of the stolen funds." - Twitter] (May 8, 2023)</ref>. TBD more details.
|-
|April 27th, 2023 1:13:00 PM MDT
|Rekt Publishes Article
|The situation is published on Rekt<ref>[https://twitter.com/RektHQ/status/1651665786107224065 RektHQ - "$1.8M gone in a puff of smoke as @TheMerlinDEX pulled a classic DeFi magic trick. This is the first rekt we've covered on zksync, but far from the first to be audited by Certik..." - Twitter] (May 8, 2023)</ref>. TBD more description<ref name="rektnews-10738" />.
|}
|}


== Technical Details ==
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"The rug mechanism was a straightforward case of draining the liquidity pools into which users were depositing as part of the MAGE token sale."<ref name="rektnews-10738" />
 
"This was made possible via max approvals granted to the Feeto address upon deployment of the pools. The individual/s in control of the Feeto address could then drain the pool of all assets, which were then bridged to ETH."
 
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
 
<blockquote>Furthermore, the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal.
 
We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.
 
They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.</blockquote>


== Total Amount Lost ==
== Total Amount Lost ==
Rekt reports the amount drained from the liquidity pool as $1.8m<ref name="rektnews-10738" />.
The total amount lost has been estimated at $1,800,000 USD.
The total amount lost has been estimated at $1,800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?


== Immediate Reactions ==
== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
The initial alarm was raised by community member wasgiventhatday, before blockchain research firm Peckshield spread the message. Merlin then acknowledged the incident the following day, advising users to revoke permissions as a precaution<ref name="rektnews-10738" />.


=== Initial Warning On Twitter ===
=== Initial Warning On Twitter ===
Line 88: Line 72:


== Ultimate Outcome ==
== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
The Merlin DEX released a post-mortem a couple of days after the incident.
 
=== Merlin DEX Releases Post-Mortem ===
The Merlin DEX provided a post mortem of the exploit on the following day<ref name="themerlindextwitter-10744" />.<blockquote>it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.
 
In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.
 
Back-End Technical Team Committers:
 
<nowiki>https://github.com/pos-ninja</nowiki>
 
<nowiki>https://github.com/dotnetstar82</nowiki>
 
<nowiki>https://github.com/OneDev0411</nowiki>
 
Notable Prior Projects:
 
@DynoChainNet
 
@discoverilla (Technical Leads Project)
 
@InterFiNetwork (KYC + Audit)
 
They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.
 
We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.
 
Furthermore, the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal.
 
Our unwavering priority is to return all funds to effected parties and participants on the Merlin platform at the earliest opportunity. To that end, we are working alongside @Certik (Team DOXX by both Prospero & Alatar Recovery Plan) to reimburse all effected users.
 
We have also notified relevant authorities in Serbia (Region of back-end Team) and work alongside on-chain analysts to monitor the movement of the stolen funds.
 
These have been tracked to two wallets which can be found below :  <nowiki>https://debank.com/profile/0xa7d481944730a88b862eb57248cb1b2c8aa358ad</nowiki>
 
The wallet _owner/deployer of all effected contracts on ZkSync Mainnet at source are :   
 
<nowiki>https://explorer.zksync.io/address/0xc0D6987d10430292A3ca994dd7A31E461eb28182</nowiki>  
 
<nowiki>https://explorer.zksync.io/address/0xc7fD785f81Fe6bBb499009746a2BCbbdd895f5b0</nowiki>
 
We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in. Merlin will continue to support our community and resolve the issue.</blockquote>
 
=== Attempts At Recovery ===
 
 
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
 
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."<ref name=":0" />


== Total Amount Recovered ==
== Total Amount Recovered ==
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
There do not appear to have been any funds recovered in this case.
There do not appear to have been any funds recovered in this case.


Line 96: Line 130:


== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
 
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
 
TBD check if the funds have moved since.
== General Prevention Policies ==
== General Prevention Policies ==
Reliance on a single firm for auditing, and audit being done before the multi-sig was actually set up.
Reliance on a single firm for auditing, and audit being done before the multi-sig was actually set up.
Line 122: Line 160:
<ref name="zksyncexplorer-10742">[https://explorer.zksync.io/tx/0x1707b898638cd5a897ab793d0fadc3c608e4e78ff184fbfdb4f80ec874692355 Transaction - zkSync Era Block Explorer] (May 3, 2023)</ref>
<ref name="zksyncexplorer-10742">[https://explorer.zksync.io/tx/0x1707b898638cd5a897ab793d0fadc3c608e4e78ff184fbfdb4f80ec874692355 Transaction - zkSync Era Block Explorer] (May 3, 2023)</ref>
<ref name="zksyncexplorer-10743">[https://explorer.zksync.io/tx/0x60e652f7d956a76982aeb8caa2f6e9bf73b854ffc3d7f539d4942c326f97eef4 Transaction Draining USDC Liquidity - zkSync Era Block Explorer] (May 3, 2023)</ref>
<ref name="zksyncexplorer-10743">[https://explorer.zksync.io/tx/0x60e652f7d956a76982aeb8caa2f6e9bf73b854ffc3d7f539d4942c326f97eef4 Transaction Draining USDC Liquidity - zkSync Era Block Explorer] (May 3, 2023)</ref>
<ref name="themerlindextwitter-10744">[https://twitter.com/TheMerlinDEX/status/1651281814395187200 @TheMerlinDEX Twitter] (May 3, 2023)</ref>
<ref name="themerlindextwitter-10744">[https://twitter.com/TheMerlinDEX/status/1651281814395187200 TheMerlinDEX - "it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform." - Twitter] (May 3, 2023)</ref>
<ref name="peckshieldalerttwitter-10745">[https://twitter.com/PeckShieldAlert/status/1651076481240690689 @PeckShieldAlert Twitter] (May 3, 2023)</ref>
<ref name="peckshieldalerttwitter-10745">[https://twitter.com/PeckShieldAlert/status/1651076481240690689 PeckShieldAlert - "#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited." - Twitter] (May 3, 2023)</ref>
<ref name="beosinalerttwitter-10746">[https://twitter.com/BeosinAlert/status/1651124285409460224 @BeosinAlert Twitter] (May 3, 2023)</ref>
<ref name="beosinalerttwitter-10746">[https://twitter.com/BeosinAlert/status/1651124285409460224 BeosinAlert - "@TheMerlinDEX Merlin Dex on ZkSync rugged with $1.8M." - Twitter] (May 3, 2023)</ref>
<ref name="wasgiventhatdaytwitter-10747">[https://twitter.com/wasgiventhatday/status/1651039576860000257 wasgiventhatday - "@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?" - Twitter] (May 3, 2023)</ref>
<ref name="wasgiventhatdaytwitter-10747">[https://twitter.com/wasgiventhatday/status/1651039576860000257 wasgiventhatday - "@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?" - Twitter] (May 3, 2023)</ref>
</references>
</references>

Revision as of 16:57, 8 May 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Merlin DEX

Merlin is a decentralized exchange (DEX) based on ZkSync and designed to support both volatile and stable exchanges with minimal fees and fast speed. The platform introduces dynamic directional fees that allow for various fees to be set for each pool and different fees based on the swap direction. Earnings from the protocol will be partially redistributed to stMAGE users and used to maintain a continuous buying pressure on MAGE. However, despite passing its second audit by Certik, Merlin suffered a rug pull during its Liquidity Generation Event, resulting in the loss of $1.8 million. The incident was caused by max approvals granted to the Feeto address upon deployment of the pools, which allowed the individuals in control to drain the pool of all assets and bridge them to ETH. Merlin's post-mortem places the blame on the back-end development team, and the rugged funds were bridged back to Ethereum, swapped for ETH, and transferred to other addresses.

About Merlin DEX

Merlin is a community-focused decentralized exchange (DEX) built on zkSync, a protocol for scalable and secure Ethereum transactions. The platform is designed to offer unique liquidity features, including an innovative yield strategy based on non-fungible staked positions that enhances capital efficiency. Merlin will use two tokens: MAGE, a liquid emission token, and stMAGE, an escrowed governance token that cannot be transferred, to incentivize participants in the ecosystem. Earnings from the protocol will be partially redistributed to stMAGE users in the form of yield and used to maintain a continuous buying pressure on MAGE. stMAGE will be allocated to special contracts known as Plugins, providing additional functionality to the protocol. The platform will have a dynamic automated market maker (AMM) capable of supporting both volatile and stable exchanges with various fees set for each pool and different fees based on the swap direction. Merlin aims to become a liquidity beacon in the zkSync ecosystem by surpassing existing DEX offerings and supporting new protocols launching on zkSync[1][2].

"Merlin had passed its second audit by Certik just two days before the attack."

"Merlin, a DEX native to the recently-launched zksync L2, was in the middle of a 3-day “Liquidity Generation Event” as part of its token (MAGE) launch."

The Reality

Merlin's audit contained the following warning:

"We advise the client to carefully manage the privileged account's private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multisignature wallets."

However, this issue was marked as ‘Resolved’ by Certik, who stated that the Merlin team had promised to use a multisig. Enough users apparently didn’t read the audit fully, or simply didn’t care about the implications of trusting the project.

What Happened

The Merlin DEX drained their liquidity pool where users were depositing as part of the MAGE token sale[3].

Key Event Timeline - Merlin DEX Liquidity Pool Drained
Date Event Description
April 25th, 2023 5:58:00 PM MDT Liquidity Pool Draining One of the transactions involved in draining the liquidity pool[4][5]. TBD - figure out what this transaction is:[6]
April 25th, 2023 7:44:00 PM MDT Exploit Warning on Twitter An alarm that the liquidity pool had been drained was initially posted on Twitter by Twitter user wasgiventhatday.[7]
April 25th, 2023 10:11:00 PM MDT PeckShield Posts On Twitter PeckShield posts an alert on Twitter[8]. TBD details.
April 25th, 2023 11:09:00 PM MDT MerlinDEX Acknowledges Incident The Merlin DEX acknowledges the exploit on Twitter[9]. TBD more details.
April 26th, 2023 1:21:00 AM MDT Beosin Alert on Twitter Beosin Alert publishes a warning on Twitter about the exploit[10].
April 26th, 2023 11:47:00 AM MDT MerlinDEX Releases Post-Mortem The Merlin DEX provides a post-mortem of the exploit on Twitter[11]. They also announce that they have contacted the Serbian authorities[12]. TBD more details.
April 27th, 2023 1:13:00 PM MDT Rekt Publishes Article The situation is published on Rekt[13]. TBD more description[3].

Technical Details

"The rug mechanism was a straightforward case of draining the liquidity pools into which users were depositing as part of the MAGE token sale."[3]

"This was made possible via max approvals granted to the Feeto address upon deployment of the pools. The individual/s in control of the Feeto address could then drain the pool of all assets, which were then bridged to ETH."

"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."

Furthermore, the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal.

We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.

They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.

Total Amount Lost

Rekt reports the amount drained from the liquidity pool as $1.8m[3].

The total amount lost has been estimated at $1,800,000 USD.

Immediate Reactions

The initial alarm was raised by community member wasgiventhatday, before blockchain research firm Peckshield spread the message. Merlin then acknowledged the incident the following day, advising users to revoke permissions as a precaution[3].

Initial Warning On Twitter

Twitter user wasgiventhatday originally posted on Twitter to warn about the exploit[7].

@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?

Ultimate Outcome

The Merlin DEX released a post-mortem a couple of days after the incident.

Merlin DEX Releases Post-Mortem

The Merlin DEX provided a post mortem of the exploit on the following day[11].

it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.

In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.

Back-End Technical Team Committers:

https://github.com/pos-ninja

https://github.com/dotnetstar82

https://github.com/OneDev0411

Notable Prior Projects:

@DynoChainNet

@discoverilla (Technical Leads Project)

@InterFiNetwork (KYC + Audit)

They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.

We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.

Furthermore, the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal.

Our unwavering priority is to return all funds to effected parties and participants on the Merlin platform at the earliest opportunity. To that end, we are working alongside @Certik (Team DOXX by both Prospero & Alatar Recovery Plan) to reimburse all effected users.

We have also notified relevant authorities in Serbia (Region of back-end Team) and work alongside on-chain analysts to monitor the movement of the stolen funds.

These have been tracked to two wallets which can be found below :  https://debank.com/profile/0xa7d481944730a88b862eb57248cb1b2c8aa358ad

The wallet _owner/deployer of all effected contracts on ZkSync Mainnet at source are :   

https://explorer.zksync.io/address/0xc0D6987d10430292A3ca994dd7A31E461eb28182  

https://explorer.zksync.io/address/0xc7fD785f81Fe6bBb499009746a2BCbbdd895f5b0

We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in. Merlin will continue to support our community and resolve the issue.

Attempts At Recovery

"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."

"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."[12]

Total Amount Recovered

"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."

"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."

TBD check if the funds have moved since.

General Prevention Policies

Reliance on a single firm for auditing, and audit being done before the multi-sig was actually set up.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Mage.Exchange | MerlinDEX (May 3, 2023)
  2. Merlin A Zksync Dex Liquidity Lodger - Merlin DEX Medium (May 3, 2023)
  3. 3.0 3.1 3.2 3.3 3.4 Rekt - Merlin DEX - REKT (May 3, 2023)
  4. Attacker's Address - zkSync Era Block Explorer (May 3, 2023)
  5. Transaction Draining USDC Liquidity - zkSync Era Block Explorer (May 3, 2023)
  6. Transaction - zkSync Era Block Explorer (May 3, 2023)
  7. 7.0 7.1 wasgiventhatday - "@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?" - Twitter (May 3, 2023)
  8. PeckShieldAlert - "#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited." - Twitter (May 3, 2023)
  9. TheMerlinDEX - "Can everyone revoke connected site access on your wallets/sign permission" - Twitter (May 8, 2023)
  10. BeosinAlert - "@TheMerlinDEX Merlin Dex on ZkSync rugged with $1.8M." - Twitter (May 3, 2023)
  11. 11.0 11.1 TheMerlinDEX - "it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform." - Twitter (May 3, 2023)
  12. 12.0 12.1 MerlinDEX - We have also notified relevant authorities in Serbia (Region of back-end Team) and work alongside on-chain analysts to monitor the movement of the stolen funds." - Twitter (May 8, 2023)
  13. RektHQ - "$1.8M gone in a puff of smoke as @TheMerlinDEX pulled a classic DeFi magic trick. This is the first rekt we've covered on zksync, but far from the first to be audited by Certik..." - Twitter (May 8, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Merlin_DEX_Liquidity_Pool_Drained&oldid=4378"