zkSync, a Layer-2 scaling solution that operates on top of the Ethereum blockchain, had its decentralized exchange (DEX) Merlin exploited for over $1.8 million after a code audit. The exploit, which allowed the attacker to steal from the exchange’s liquidity pools, happened despite a thorough security review by a third-party auditor. The incident raises questions about the security of decentralized finance (DeFi) applications and the need for ongoing code audits and security measures.
Merlin, an Ethereum-based decentralized exchange (DEX) that uses zero-knowledge sync (zkSync), has suffered an exploit that led to a loss of over $1.8 million in a liquidity pool. This happened just a few hours after CertiK, a smart contract security firm, audited Merlin’s code. The attack occurred during Merlin’s public sale of its native token, MAGE. The hacker took several assets, including USD Coin (USDC), Ether (ETH), and other illiquid tokens.
CertiK disclosed that its initial findings suggest that the hack may have resulted from a private key management issue, and not an exploit as widely believed. CertiK pointed out the centralization risk in the recent audit report for Merlin under the “Decentralization Efforts” section. The firm recommended that Merlin improve its centralized roles to a decentralized mechanism, like multi-signature wallets, to enhance security practices. CertiK also suggested the implementation of a timelock feature to avoid single point key management failure. The security firm promised to work with appropriate authorities if any foul play is discovered.
Interestingly, eZKalibur, another zkSync DEX, and launchpad, identified the malicious code that enabled the hackers to drain Merlin’s funds. The DEX found that two lines of code in the initialize function were granting approval for the feeTo address to transfer an unlimited amount of tokens from the contract’s address.
Merlin has asked its users to revoke access to the connected site on their wallets as they analyze the exploit’s cause. It’s essential to review this information and all audits fully, as audits don’t prevent private key issues but highlight better practices for projects.
In conclusion, this hack should serve as a wake-up call to DEX users and developers, and it highlights the importance of ensuring better security for DEXs. With decentralized finance continuing to grow, it’s crucial that developers prioritize security in their protocols.