The zkSync-based decentralized exchange, Merlin, was exploited for over $1.8 million during a public sale of its MAGE tokens. The exploit involved draining $850,000 worth of USD Coin (USDC) and other relatively illiquid tokens. The exploit was not complex or sophisticated and was carried out by an entity with control of the liquidity pool.
This occurred despite Merlin being audited by blockchain security firm CertiK, which found no critical findings.
On-chain data suggests that the funds were bridged back to the Ethereum network before being converted to ether.
CertiK is exploring a community compensation plan with ZKSync to cover the lost user funds and is working with law enforcement to track down the rogue developers, who are likely based in Europe. The firm has also pointed out that it had raised the private key privilege issues in the audit report of Merlin prior to its release.
Serious Lessons Learned:
The recent exploit of Merlin, despite being audited by Certik, highlights a serious problem with the usefulness of Certik's audits. Certik has audited mostly BSC projects and some other EVM (Arbitrum, OP) projects, indicating that their audits may not be comprehensive enough to catch potential issues in projects.
It is difficult to believe that projects audited by Certik on BSC, ARB, and OP ecosystems would not have any potential exploits.
As a result, it is recommended that crypto users exercise caution when participating in airdrop events held by various protocols such as Arbitrum, BSC, Polygon, and any ZKsync technology protocols. Many of these events require users to provide their private data in the hope of winning rewards, but they may not be worth the risk.
Additionally, it's important to note that many ZK technologies, especially those by Polygon, may not have clear images or relevant resources yet. Therefore, it is crucial to be vigilant and do proper research before investing in any ZK technology.
In conclusion, the Merlin exploit highlights the need for caution and thorough research when investing in any project, even those that have been audited by a reputable firm.
Source: Merlin, Certik