Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit. "While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."
Meanwhile, eZKalibur — a zkSync decentralized exchange and launchpad that, like Merlin, forked part of DEX Camelot's contract — claims to have identified the malicious code responsible for the draining of funds.
"These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract's address," it explained while questioning the quality of Certik's audit. "In this case, the feeTo address could potentially call the transferFrom function on the respective tokens to transfer tokens from the contract's address to itself."
Though Certik tweeted that it highlighted Merlin's centralization risk in its audit of the DEX, some feel that the risk of a rug pull should have been highlighted.
A finding like this should be reported at least as "major," if not "critical." eZKalibur commented to The Block, adding: "It can't be marked as a hidden and simple decentralization issue since, without a timelock, it could lead to an immediate drain of the totality of the funds deposited on the protocol, which is exactly what happened."
Merlin developers have since asked users to revoke wallet permissions connected to its website. They claim to be analyzing the exploit of the protocol.
Merlin did not immediately respond to a request for comment. The Block also contacted Certik.
Update: Initially believed to be a hack, security analysts, including CertiK, concluded that it was a rug pull – an exit scam executed by one or more developers of the Merlin team with privileged access to user funds deposited in the protocol's smart contracts.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.