In a recent Liquidity Generation Event, the Merlin decentralized exchange (DEX) suffered a substantial loss of approximately $1.8 million, sparking speculations of a hack or rug pull. Merlin, a native DEX on the popular zkSync L2 blockchain platform, was launching its MAGE tokens when the incident occurred. This event has questioned the security of decentralized finance (DeFi), prompting a closer examination of the incident and its implications for the DeFi landscape.
The Unraveling of the Hack
During the MAGE token sale, individuals accessing the Feeto address exploited a vulnerability related to maximum approvals. This exploit granted them unrestricted access to the asset pools, allowing them to systematically drain the liquidity pools where users had deposited their funds. Subsequently, the stolen assets were moved to the Ethereum network, increasing their liquidity and facilitating quick transfers. The attackers could further obfuscate their tracks by transferring the funds to other addresses.
Merlin’s Investigation and Accountability
Following the breach, Merlin launched an investigation to identify the responsible parties and determine the cause of the security breach. The investigation revealed that the back-end development team was responsible for the hack. Unauthorized changes were made to the smart contracts, and the maximum approvals feature was exploited, providing the team unrestricted access to the liquidity pools. Merlin reportedly took legal action against the identified developers by sharing their GitHub profiles and contacting Serbian authorities.
Assessing Certik Audits
Certik, a well-known audit firm, conducted the second audit for Merlin. However, just two days after the audit, the breach occurred, raising doubts about the effectiveness of Certik’s audits. While the initial audit report had highlighted trust issues, it was later marked as “resolved” after Merlin committed to implementing a multi-sig solution. This incident emphasizes the need to be cautious about relying solely on quick and inadequate audits, placing greater responsibility on personal accountability for security measures.
Compensating Rugpull Victims
In response to the incident, Certik and Merlin are working on a $2 million plan to reimburse victims of the rug pull. Merlin has already notified the relevant authorities, and the stolen assets have been traced to two wallets, with legal action underway. Certik has taken steps to avoid legal repercussions by offering a 20% white hat bounty to the developers involved.
Security, accountability, and transparency are paramount in safeguarding users and their investments in the DeFi space. Incidents like this are a stark reminder of the importance of vigilance and personal responsibility. As the DeFi ecosystem evolves, investors increasingly demand transparency from project teams to prevent future attacks and foster a culture of accountability.