A new one has been added to the hacker attacks in recent days. zkSync a decentralized exchange that uses Merlin, It looks like over $1.82 million was hacked right after getting a code audit from smart contract inspector Certik.
Decentralized Exchange Merlin Hacker Attacked
zkSync DEX Merlin reportedly suffered a $1.82 million hacker attack right after the code audit.
Certik tweeted that he was investigating the incident and that his initial findings pointed to a potential issue with private key management, not a code breach.
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.
While audits cannot prevent private key issues, we always highlight best practices to projects.
Should any foul…
— CertiK (@CertiK) April 26, 2023
“Although audits cannot prevent private key issues, we always recommend best practices to projects,” Certik said. “If any errors are detected, we will work with the relevant authorities and share relevant information. Stay tuned for updates.”
Meanwhile, eZKalibur, a zkSync decentralized exchange and launchpad that, like Merlin, forks part of DEX Camelot’s contract, claims to have detected the malicious code responsible for draining funds.
When questioning the quality of Certik’s audit, he explained, “These two lines of code in the initialization function allow feeTo to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract’s address.”
“In this case, the feeTo address can call the transferFrom function on the respective tokens to transfer the tokens from the contract address to it.”
Such a finding should at least be reported as “significant” if not “critical”. eZKalibur said:
“It cannot be seen as a hidden and simple decentralization problem. Because without a time lock, it can lead to instant draining of all the funds invested in the protocol, which is exactly what happens.”
Merlin developers have since asked users to revoke their website-linked wallet permissions. They stated that they analyzed the protocol being hacked.
*Not investment advice.
For exclusive news, analytics and on-chain data Telegram our group, twitter our account and YouTube Follow our channel now! Moreover Android And iOS Start live price tracking right now by downloading our apps!