Merlin DEX Liquidity Pool Drained
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Merlin is a decentralized exchange (DEX) based on ZkSync and designed to support both volatile and stable exchanges with minimal fees and fast speed. The platform introduces dynamic directional fees that allow for various fees to be set for each pool and different fees based on the swap direction. Earnings from the protocol will be partially redistributed to stMAGE users and used to maintain a continuous buying pressure on MAGE. However, despite passing its second audit by Certik, Merlin suffered a rug pull during its Liquidity Generation Event, resulting in the loss of $1.8 million. The incident was caused by max approvals granted to the Feeto address upon deployment of the pools, which allowed the individuals in control to drain the pool of all assets and bridge them to ETH. Merlin's post-mortem places the blame on the back-end development team, and the rugged funds were bridged back to Ethereum, swapped for ETH, and transferred to other addresses.
About Merlin DEX
Merlin is a community-focused decentralized exchange (DEX) built on zkSync, a protocol for scalable and secure Ethereum transactions. The platform is designed to offer unique liquidity features, including an innovative yield strategy based on non-fungible staked positions that enhances capital efficiency. Merlin will use two tokens: MAGE, a liquid emission token, and stMAGE, an escrowed governance token that cannot be transferred, to incentivize participants in the ecosystem. Earnings from the protocol will be partially redistributed to stMAGE users in the form of yield and used to maintain a continuous buying pressure on MAGE. stMAGE will be allocated to special contracts known as Plugins, providing additional functionality to the protocol. The platform will have a dynamic automated market maker (AMM) capable of supporting both volatile and stable exchanges with various fees set for each pool and different fees based on the swap direction. Merlin aims to become a liquidity beacon in the zkSync ecosystem by surpassing existing DEX offerings and supporting new protocols launching on zkSync[1][2].
"Merlin had passed its second audit by Certik just two days before the attack."
"Merlin, a DEX native to the recently-launched zksync L2, was in the middle of a 3-day “Liquidity Generation Event” as part of its token (MAGE) launch."
The Reality
Merlin's audit contained the following warning:
"We advise the client to carefully manage the privileged account's private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multisignature wallets."
However, this issue was marked as ‘Resolved’ by Certik, who stated that the Merlin team had promised to use a multisig. Enough users apparently didn’t read the audit fully, or simply didn’t care about the implications of trusting the project.
What Happened
The Merlin DEX drained their liquidity pool where users were depositing as part of the MAGE token sale[3].
| Date | Event | Description |
|---|---|---|
| April 25th, 2023 5:58:00 PM MDT | Liquidity Pool Draining | One of the transactions involved in draining the liquidity pool[4][5]. TBD - figure out what this transaction is:[6] |
| April 25th, 2023 7:44:00 PM MDT | Exploit Warning on Twitter | An alarm that the liquidity pool had been drained was initially posted on Twitter by Twitter user wasgiventhatday.[7] |
| April 25th, 2023 10:11:00 PM MDT | PeckShield Posts On Twitter | PeckShield posts an alert on Twitter[8]. TBD details. |
| April 25th, 2023 11:09:00 PM MDT | MerlinDEX Acknowledges Incident | The Merlin DEX acknowledges the exploit on Twitter[9]. TBD more details. |
| April 26th, 2023 1:21:00 AM MDT | Beosin Alert on Twitter | Beosin Alert publishes a warning on Twitter about the exploit[10]. |
| April 26th, 2023 11:47:00 AM MDT | MerlinDEX Releases Post-Mortem | The Merlin DEX provides a post-mortem of the exploit on Twitter[11]. They also announce that they have contacted the Serbian authorities[12]. TBD more details. |
| April 27th, 2023 1:13:00 PM MDT | Rekt Publishes Article | The situation is published on Rekt[13]. TBD more description[3]. |
Technical Details
"The rug mechanism was a straightforward case of draining the liquidity pools into which users were depositing as part of the MAGE token sale."[3]
"This was made possible via max approvals granted to the Feeto address upon deployment of the pools. The individual/s in control of the Feeto address could then drain the pool of all assets, which were then bridged to ETH."
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
Furthermore, the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal.
We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.
They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.
Total Amount Lost
Rekt reports the amount drained from the liquidity pool as $1.8m[3].
The total amount lost has been estimated at $1,800,000 USD.
Immediate Reactions
The initial alarm was raised by community member wasgiventhatday, before blockchain research firm Peckshield spread the message. Merlin then acknowledged the incident the following day, advising users to revoke permissions as a precaution[3].
Initial Warning On Twitter
Twitter user wasgiventhatday originally posted on Twitter to warn about the exploit[7].
@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?
Ultimate Outcome
The Merlin DEX released a post-mortem a couple of days after the incident.
Merlin DEX Releases Post-Mortem
The Merlin DEX provided a post mortem of the exploit on the following day[11].
it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.
In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.
Back-End Technical Team Committers:
https://github.com/pos-ninja
https://github.com/dotnetstar82
https://github.com/OneDev0411
Notable Prior Projects:
@DynoChainNet
@discoverilla (Technical Leads Project)
@InterFiNetwork (KYC + Audit)
They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.
We had submitted all intended contracts to be used on our platform to Certik who carried out a full audit. However there has been a clear oversight on the overarching power the _owner had of the pools.
Furthermore, the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal.
Our unwavering priority is to return all funds to effected parties and participants on the Merlin platform at the earliest opportunity. To that end, we are working alongside @Certik (Team DOXX by both Prospero & Alatar Recovery Plan) to reimburse all effected users.
We have also notified relevant authorities in Serbia (Region of back-end Team) and work alongside on-chain analysts to monitor the movement of the stolen funds.
These have been tracked to two wallets which can be found below : https://debank.com/profile/0xa7d481944730a88b862eb57248cb1b2c8aa358ad
The wallet _owner/deployer of all effected contracts on ZkSync Mainnet at source are :
https://explorer.zksync.io/address/0xc0D6987d10430292A3ca994dd7A31E461eb28182
https://explorer.zksync.io/address/0xc7fD785f81Fe6bBb499009746a2BCbbdd895f5b0
We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in. Merlin will continue to support our community and resolve the issue.
Attempts At Recovery
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."[12]
Total Amount Recovered
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
TBD check if the funds have moved since.
General Prevention Policies
Reliance on a single firm for auditing, and audit being done before the multi-sig was actually set up.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Mage.Exchange | MerlinDEX (May 3, 2023)
- ↑ Merlin A Zksync Dex Liquidity Lodger - Merlin DEX Medium (May 3, 2023)
- ↑ 3.0 3.1 3.2 3.3 3.4 Rekt - Merlin DEX - REKT (May 3, 2023)
- ↑ Attacker's Address - zkSync Era Block Explorer (May 3, 2023)
- ↑ Transaction Draining USDC Liquidity - zkSync Era Block Explorer (May 3, 2023)
- ↑ Transaction - zkSync Era Block Explorer (May 3, 2023)
- ↑ 7.0 7.1 wasgiventhatday - "@circle 0xb72200739d557ce12b41876772e1e434af896644 has rugged @TheMerlinDEX of $147k . Can you please freeze his USDC on main net?" - Twitter (May 3, 2023)
- ↑ PeckShieldAlert - "#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited." - Twitter (May 3, 2023)
- ↑ TheMerlinDEX - "Can everyone revoke connected site access on your wallets/sign permission" - Twitter (May 8, 2023)
- ↑ BeosinAlert - "@TheMerlinDEX Merlin Dex on ZkSync rugged with $1.8M." - Twitter (May 3, 2023)
- ↑ 11.0 11.1 TheMerlinDEX - "it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform." - Twitter (May 3, 2023)
- ↑ 12.0 12.1 MerlinDEX - We have also notified relevant authorities in Serbia (Region of back-end Team) and work alongside on-chain analysts to monitor the movement of the stolen funds." - Twitter (May 8, 2023)
- ↑ RektHQ - "$1.8M gone in a puff of smoke as @TheMerlinDEX pulled a classic DeFi magic trick. This is the first rekt we've covered on zksync, but far from the first to be audited by Certik..." - Twitter (May 8, 2023)